Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1530689
MD5:	8cb76a38da8b77222f850a12a23be3d2
SHA1:	6c36de21d0cc3a1c67b12793dbe3d7756baeb37f
SHA256:	de2b5639497759238a59d9dad853eec24e89652b15ca26125f549edc5b1dd92d
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6696 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8CB76A38DA8B77222F850A12A23BE3D2)

taskkill.exe (PID: 6748 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7064 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1308 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3872 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4460 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 2412 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3848 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3220 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5852 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2320 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0eaedab3-4b51-4b12-9051-af95aa17859e} 3220 "\\.\pipe\gecko-crash-server-pipe.3220" 1df53c6f310 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7428 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3940 -parentBuildID 20230927232528 -prefsHandle 3964 -prefMapHandle 3960 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4719529b-836d-4975-a581-e10641ea7f9d} 3220 "\\.\pipe\gecko-crash-server-pipe.3220" 1df65da5310 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8184 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5328 -prefMapHandle 2640 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ac80dba-0188-4f1b-b01b-50611a6dda15} 3220 "\\.\pipe\gecko-crash-server-pipe.3220" 1df6ea1e110 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6696	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00A2EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00A2EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A2ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00A2ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00A2EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A1AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00A1AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A49576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00A49576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1745568766.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_20e40b53-2
Source: file.exe, 00000000.00000000.1745568766.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_dacda06d-5
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ee3549f9-b
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6ec7a4dc-d

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001B1397D6637 NtQuerySystemInformation,		16_2_000001B1397D6637
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001B1397F9972 NtQuerySystemInformation,		16_2_000001B1397F9972

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A1D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00A1D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A11201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00A11201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A1E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00A1E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A22046	0_2_00A22046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B8060	0_2_009B8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A18298	0_2_00A18298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009EE4FF	0_2_009EE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E676B	0_2_009E676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A44873	0_2_00A44873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009DCAA0	0_2_009DCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009BCAF0	0_2_009BCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009CCC39	0_2_009CCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E6DD9	0_2_009E6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B91C0	0_2_009B91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009CB119	0_2_009CB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D1394	0_2_009D1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D1706	0_2_009D1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D781B	0_2_009D781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D19B0	0_2_009D19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B7920	0_2_009B7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C997D	0_2_009C997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D7A4A	0_2_009D7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D7CA7	0_2_009D7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D1C77	0_2_009D1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E9EEE	0_2_009E9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3BE44	0_2_00A3BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D1F32	0_2_009D1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001B1397D6637	16_2_000001B1397D6637
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001B1397F9972	16_2_000001B1397F9972
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001B1397FA09C	16_2_000001B1397FA09C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001B1397F99B2	16_2_000001B1397F99B2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 009D0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 009CF9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/36@69/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A237B5 GetLastError,FormatMessageW,

0_2_00A237B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A110BF AdjustTokenPrivileges,CloseHandle,		0_2_00A110BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00A116C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A251CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00A251CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A1D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00A1D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A2648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00A2648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009B42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_009B42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1958819718.000001DF6EE5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1958819718.000001DF6EE5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1958819718.000001DF6EE5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1958819718.000001DF6EE5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1939141715.000001DF6EED6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958726485.000001DF6EED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.1958819718.000001DF6EE5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1958819718.000001DF6EE5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1958819718.000001DF6EE5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1958819718.000001DF6EE5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1958819718.000001DF6EE5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

Virustotal: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2320 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0eaedab3-4b51-4b12-9051-af95aa17859e} 3220 "\\.\pipe\gecko-crash-server-pipe.3220" 1df53c6f310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3940 -parentBuildID 20230927232528 -prefsHandle 3964 -prefMapHandle 3960 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4719529b-836d-4975-a581-e10641ea7f9d} 3220 "\\.\pipe\gecko-crash-server-pipe.3220" 1df65da5310 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5328 -prefMapHandle 2640 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ac80dba-0188-4f1b-b01b-50611a6dda15} 3220 "\\.\pipe\gecko-crash-server-pipe.3220" 1df6ea1e110 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2320 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0eaedab3-4b51-4b12-9051-af95aa17859e} 3220 "\\.\pipe\gecko-crash-server-pipe.3220" 1df53c6f310 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3940 -parentBuildID 20230927232528 -prefsHandle 3964 -prefMapHandle 3960 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4719529b-836d-4975-a581-e10641ea7f9d} 3220 "\\.\pipe\gecko-crash-server-pipe.3220" 1df65da5310 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5328 -prefMapHandle 2640 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ac80dba-0188-4f1b-b01b-50611a6dda15} 3220 "\\.\pipe\gecko-crash-server-pipe.3220" 1df6ea1e110 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.1978857554.000001DF6E601000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.1981543839.000001DF634AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1978680220.000001DF634A0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1977835268.000001DF63491000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1981543839.000001DF634AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1981543839.000001DF634AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1978680220.000001DF634A0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1977835268.000001DF63491000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000D.00000003.1963737957.000001DF6646A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.1978857554.000001DF6E601000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1981543839.000001DF634AA000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009B42DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009D0A76 push ecx; ret

0_2_009D0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009CF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_009CF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A41C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00A41C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95038

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001B1397D6637 rdtsc

16_2_000001B1397D6637

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A1DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A268EE FindFirstFileW,FindClose,	0_2_00A268EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00A2698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A1D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A1D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A29642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A29642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A2979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A29B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00A29B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A25C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00A25C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009B42DE

Source: firefox.exe, 00000011.00000002.3006119429.0000020570FFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPGPq
Source: firefox.exe, 00000010.00000002.3007803310.000001B13964A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW ]
Source: firefox.exe, 00000010.00000002.3014548023.000001B139E90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\|
Source: firefox.exe, 0000000F.00000002.3007766084.0000019F7F72A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3013323059.0000020571500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3014505073.0000019F7FC12000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.3015477677.0000019F7FD00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3014548023.000001B139E90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001B1397D6637 rdtsc

16_2_000001B1397D6637

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A2EAA2 BlockInput,

0_2_00A2EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_009E2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009B42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009D4CE8 mov eax, dword ptr fs:[00000030h]

0_2_009D4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A10B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00A10B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009E2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009D083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D09D5 SetUnhandledExceptionFilter,	0_2_009D09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_009D0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00A11201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009F2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_009F2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A1B226 SendInput,keybd_event,

0_2_00A1B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A322DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00A322DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00A10B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A11663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00A11663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1965343205.000001DF6E601000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009D0698 cpuid

0_2_009D0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A28195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00A28195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A0D27A GetUserNameW,

0_2_00A0D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009EBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_009EBB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009B42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6696, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6696, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A31204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00A31204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A31806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00A31806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	29%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse
twitter.com	0%	Virustotal	Browse
prod.balrog.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
prod.detectportal.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
dyna.wikimedia.org	0%	Virustotal	Browse
contile.services.mozilla.com	0%	Virustotal	Browse
prod.content-signature-chains.prod.webservices.mozgcp.net	0%	Virustotal	Browse
youtube.com	0%	Virustotal	Browse
reddit.map.fastly.net	0%	Virustotal	Browse
ipv4only.arpa	0%	Virustotal	Browse
us-west1.prod.sumo.prod.webservices.mozgcp.net	0%	Virustotal	Browse
push.services.mozilla.com	0%	Virustotal	Browse
prod.ads.prod.webservices.mozgcp.net	0%	Virustotal	Browse
youtube-ui.l.google.com	0%	Virustotal	Browse
prod.remote-settings.prod.webservices.mozgcp.net	0%	Virustotal	Browse
normandy-cdn.services.mozilla.com	0%	Virustotal	Browse
telemetry-incoming.r53-2.services.mozilla.com	0%	Virustotal	Browse
support.mozilla.org	0%	Virustotal	Browse
content-signature-2.cdn.mozilla.net	0%	Virustotal	Browse
firefox.settings.services.mozilla.com	0%	Virustotal	Browse
services.addons.mozilla.org	0%	Virustotal	Browse
www.reddit.com	0%	Virustotal	Browse
www.facebook.com	0%	Virustotal	Browse
normandy.cdn.mozilla.net	0%	Virustotal	Browse
detectportal.firefox.com	0%	Virustotal	Browse
www.youtube.com	0%	Virustotal	Browse
www.wikipedia.org	0%	Virustotal	Browse
spocs.getpocket.com	0%	Virustotal	Browse
shavar.services.mozilla.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	Virustotal		Browse
https://datastudio.google.com/embed/reporting/	0%	Virustotal		Browse
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	0%	Virustotal		Browse
https://github.com/w3c/csswg-drafts/issues/4650	0%	Virustotal		Browse
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	Virustotal		Browse
https://json-schema.org/draft/2019-09/schema.	0%	Virustotal		Browse
https://www.amazon.com/exec/obidos/external-search/	0%	Virustotal		Browse
https://www.msn.com	0%	Virustotal		Browse
https://github.com/mozilla-services/screenshots	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.253.35	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	0%, Virustotal, Browse	unknown
twitter.com	104.244.42.193	true	false	0%, Virustotal, Browse	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	0%, Virustotal, Browse	unknown
services.addons.mozilla.org	52.222.236.120	true	false	0%, Virustotal, Browse	unknown
dyna.wikimedia.org	185.15.59.224	true	false	0%, Virustotal, Browse	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	0%, Virustotal, Browse	unknown
contile.services.mozilla.com	34.117.188.166	true	false	0%, Virustotal, Browse	unknown
youtube.com	142.250.186.46	true	false	0%, Virustotal, Browse	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	0%, Virustotal, Browse	unknown
youtube-ui.l.google.com	142.250.181.238	true	false	0%, Virustotal, Browse	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	0%, Virustotal, Browse	unknown
reddit.map.fastly.net	151.101.193.140	true	false	0%, Virustotal, Browse	unknown
ipv4only.arpa	192.0.0.170	true	false	0%, Virustotal, Browse	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	0%, Virustotal, Browse	unknown
push.services.mozilla.com	34.107.243.93	true	false	0%, Virustotal, Browse	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	0%, Virustotal, Browse	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	0%, Virustotal, Browse	unknown
www.reddit.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
spocs.getpocket.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
support.mozilla.org	unknown	unknown	false	0%, Virustotal, Browse	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.youtube.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.facebook.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
detectportal.firefox.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
shavar.services.mozilla.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.wikipedia.org	unknown	unknown	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.1953966341.000001DF6BF7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3009910053.000001B1399C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3009328464.00000205714C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1963737957.000001DF6646A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1862545271.000001DF6CDF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1971412543.000001DF6CD0F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3010353272.0000019F7FBC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3009910053.000001B1399E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3013597841.0000020571603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1957185527.000001DF6C09D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1835269714.000001DF6C0A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1904468024.000001DF6C096000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906600480.000001DF6C096000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1833843206.000001DF6C0A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917100652.000001DF6C096000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3009328464.000002057148F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.1949512195.000001DF6D4F7000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://twitter.com/pD5	firefox.exe, 0000000D.00000003.1949512195.000001DF6D4C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942844689.000001DF6D4C5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1963913773.000001DF65E61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1976293512.000001DF65E81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1991977552.000001DF65E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1962418062.000001DF6C1D7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000D.00000003.1944082499.000001DF6C25D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1964814925.000001DF64FE3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1797695762.000001DF63600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798095331.000001DF6385A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798215903.000001DF63877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797827733.000001DF6381F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797962817.000001DF6383C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.1958853451.000001DF6EE34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1972745759.000001DF6EE34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1948409782.000001DF6EE34000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1975584080.000001DF674DC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1952773615.000001DF6C1BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1975331631.000001DF6C1BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1984938750.000001DF6C1BD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1944082499.000001DF6C28F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913852873.000001DF6CD4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797827733.000001DF6381F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797962817.000001DF6383C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1986735401.000001DF67088000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1955033380.000001DF67088000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1797695762.000001DF63600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798095331.000001DF6385A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798215903.000001DF63877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797827733.000001DF6381F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797962817.000001DF6383C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.2000621093.000001DF65C1C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.1949512195.000001DF6D4F7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3010353272.0000019F7FBC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3009910053.000001B1399E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3013597841.0000020571603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1961621558.000001DF6EABC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1942844689.000001DF6D4C5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000D.00000003.1958973201.000001DF6ED53000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1940379140.000001DF6EB38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960690883.000001DF6EB31000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3010353272.0000019F7FBC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3009910053.000001B1399E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3013597841.0000020571603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1955033380.000001DF67088000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3009910053.000001B13990A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3009328464.000002057140C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1963913773.000001DF65E61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1976293512.000001DF65E81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1991977552.000001DF65E81000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1961621558.000001DF6EABC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.1944082499.000001DF6C28F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1953966341.000001DF6BF7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3009910053.000001B1399C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3009328464.00000205714C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1954252741.000001DF6B9E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1862021097.000001DF6CE1A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1851178281.000001DF651D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899267108.000001DF651D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1933330621.000001DF651D8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1961621558.000001DF6EA58000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1944082499.000001DF6C2C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1950736048.000001DF6C2C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1962055396.000001DF6C2C9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1960690883.000001DF6EB31000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/	firefox.exe, 00000010.00000002.3009910053.000001B139912000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3009328464.0000020571413000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1963913773.000001DF65E61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1976293512.000001DF65E81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1991977552.000001DF65E81000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.1943769021.000001DF6D0BC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 00000010.00000002.3009910053.000001B139986000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1975584080.000001DF674DC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000D.00000003.1862021097.000001DF6CE1A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1851178281.000001DF651D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1980573442.000001DF64AE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931540127.000001DF650F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1962960146.000001DF66567000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913034951.000001DF6CEC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1804769654.000001DF64AC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1859963331.000001DF6CDD3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1857562654.000001DF64AE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1833843206.000001DF6C0EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1990257262.000001DF660E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1975769207.000001DF670B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908355391.000001DF65087000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1977949004.000001DF61175000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1980573442.000001DF64A92000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899267108.000001DF65154000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1955313136.000001DF67050000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1976393203.000001DF65DD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1975331631.000001DF6C191000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1969707907.000001DF6CE9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1835269714.000001DF6C0E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1989389378.000001DF664FD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1986735401.000001DF67088000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1955033380.000001DF67088000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1986735401.000001DF67088000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1962626021.000001DF66576000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1989067611.000001DF66576000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1955033380.000001DF67088000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1944082499.000001DF6C25D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1955033380.000001DF67078000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1955033380.000001DF67078000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1957185527.000001DF6C09D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1835269714.000001DF6C0A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1904468024.000001DF6C096000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906600480.000001DF6C096000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1833843206.000001DF6C0A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917100652.000001DF6C096000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000D.00000003.1952773615.000001DF6C1BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1975331631.000001DF6C1BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1984938750.000001DF6C1BD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1942844689.000001DF6D4AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1974621867.000001DF6D4AF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1952773615.000001DF6C1BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1975331631.000001DF6C1BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1984938750.000001DF6C1BD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1923619772.000001DF61139000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1799183703.000001DF61133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1966623887.000001DF61139000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000D.00000003.1862021097.000001DF6CE1A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1852398511.000001DF65253000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1977046123.000001DF65269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1993709414.000001DF65269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1964192648.000001DF65266000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2001876635.000001DF65269000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1975769207.000001DF670B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954787010.000001DF670B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1986735401.000001DF670B5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1862021097.000001DF6CE1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1861648284.000001DF6CE3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1861305736.000001DF6CE2B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1923619772.000001DF61139000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1799183703.000001DF61133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1966623887.000001DF61139000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1961621558.000001DF6EABC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3010353272.0000019F7FBC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3009910053.000001B1399E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3013597841.0000020571603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1962418062.000001DF6C1D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1963913773.000001DF65E61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1976293512.000001DF65E81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1991977552.000001DF65E81000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1972634186.000001DF6EED6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1972193741.000001DF6F4BD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.3008944623.0000019F7F7D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3008249736.000001B139750000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3008416217.0000020571300000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1797962817.000001DF6383C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://truecolors.firefox.com/	firefox.exe, 0000000D.00000003.1943769021.000001DF6D0BC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1797695762.000001DF63600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798095331.000001DF6385A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1854200845.000001DF6CD4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798215903.000001DF63877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913852873.000001DF6CD4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797827733.000001DF6381F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797962817.000001DF6383C000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.46	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
52.222.236.120	services.addons.mozilla.org	United States	16509	AMAZON-02US	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1530689
Start date and time:	2024-10-10 11:40:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/36@69/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 96% Number of executed functions: 45 Number of non-executed functions: 309
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 44.242.27.108, 44.238.148.23, 44.224.63.42, 142.250.186.78, 2.22.61.59, 2.22.61.56, 142.250.185.234, 142.250.181.234, 142.250.185.78
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 3220 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:41:18	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	zYlQoif21X.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
52.222.236.120	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	zYlQoif21X.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	zYlQoif21X.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	zYlQoif21X.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	https://loadfile.komanda.cl/	Get hash	malicious	Unknown	Browse	34.117.59.81
	na.elf	Get hash	malicious	Unknown	Browse	34.101.44.136
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	na.elf	Get hash	malicious	Mirai	Browse	34.66.203.60
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	zYlQoif21X.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc	Browse	34.117.188.166
ATGS-MMD-ASUS	na.elf	Get hash	malicious	Mirai	Browse	56.134.106.66
	na.elf	Get hash	malicious	Mirai	Browse	56.100.72.207
	na.elf	Get hash	malicious	Mirai	Browse	56.100.72.207
	na.elf	Get hash	malicious	Mirai	Browse	56.134.106.66
	na.elf	Get hash	malicious	Mirai	Browse	56.100.72.207
	na.elf	Get hash	malicious	Mirai	Browse	56.100.72.207
	na.elf	Get hash	malicious	Unknown	Browse	34.53.115.85
	na.elf	Get hash	malicious	Unknown	Browse	48.236.230.116
	na.elf	Get hash	malicious	Unknown	Browse	57.176.69.165
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
AMAZON-02US	https://na4.docusign.net/Signing/EmailStart.aspx?a=b4cf6218-13ec-46d9-aa5c-10723ebe7e7f&etti=24&acct=d9c705c1-5012-4d8b-98f5-b9c62798fde2&er=efa4815b-08b1-4fe7-b32f-ac28ff7e2554	Get hash	malicious	HTMLPhisher	Browse	35.161.37.142
	https://loadfile.komanda.cl/	Get hash	malicious	Unknown	Browse	76.76.21.21
	tjK8Z8Q3JH.exe	Get hash	malicious	Njrat	Browse	52.57.120.10
	na.elf	Get hash	malicious	Unknown	Browse	52.198.119.230
	na.elf	Get hash	malicious	Unknown	Browse	3.96.34.58
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.32.99.14
	na.elf	Get hash	malicious	Mirai	Browse	54.247.62.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.48
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
ATGS-MMD-ASUS	na.elf	Get hash	malicious	Mirai	Browse	56.134.106.66
	na.elf	Get hash	malicious	Mirai	Browse	56.100.72.207
	na.elf	Get hash	malicious	Mirai	Browse	56.100.72.207
	na.elf	Get hash	malicious	Mirai	Browse	56.134.106.66
	na.elf	Get hash	malicious	Mirai	Browse	56.100.72.207
	na.elf	Get hash	malicious	Mirai	Browse	56.100.72.207
	na.elf	Get hash	malicious	Unknown	Browse	34.53.115.85
	na.elf	Get hash	malicious	Unknown	Browse	48.236.230.116
	na.elf	Get hash	malicious	Unknown	Browse	57.176.69.165
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	zYlQoif21X.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_2d627b83-4d9d-43df-9aff-37184a419509.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.181444355258808
Encrypted:	false
SSDEEP:	192:rjMXY6VcbhbVbTbfbRbObtbyEl7ngrfJA6WnSrDtTUd/SkDrS:rYNcNhnzFSJArGBnSrDhUd/8
MD5:	CE8828338691EB811DA6CA06274D5039
SHA1:	57AFF21A893C7E7472C29B5FDC2DDB60949B9A17
SHA-256:	D37B01FD004771D127D8B4BDE96734DE1B6D898027C3226E01348812779828AC
SHA-512:	FAA031D64A3CCC74DC9A19C86702C454665D122039BB940758E62BB4D9E7139B31D89C82D8C05DF10388C76ED3DD23FF27A6976359244683E77F5952BF676868
Malicious:	false
Preview:	{"type":"uninstall","id":"2d627b83-4d9d-43df-9aff-37184a419509","creationDate":"2024-10-10T11:31:23.283Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_2d627b83-4d9d-43df-9aff-37184a419509.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.181444355258808
Encrypted:	false
SSDEEP:	192:rjMXY6VcbhbVbTbfbRbObtbyEl7ngrfJA6WnSrDtTUd/SkDrS:rYNcNhnzFSJArGBnSrDhUd/8
MD5:	CE8828338691EB811DA6CA06274D5039
SHA1:	57AFF21A893C7E7472C29B5FDC2DDB60949B9A17
SHA-256:	D37B01FD004771D127D8B4BDE96734DE1B6D898027C3226E01348812779828AC
SHA-512:	FAA031D64A3CCC74DC9A19C86702C454665D122039BB940758E62BB4D9E7139B31D89C82D8C05DF10388C76ED3DD23FF27A6976359244683E77F5952BF676868
Malicious:	false
Preview:	{"type":"uninstall","id":"2d627b83-4d9d-43df-9aff-37184a419509","creationDate":"2024-10-10T11:31:23.283Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.928646222344899
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakN69t:8S+OfJQPUFpOdwNIOdYVjvYcXaNLRS8P
MD5:	EE8B6075043F5114736EF290218DB918
SHA1:	0605603A8B875C56F258519FE30C69D7C2381CF0
SHA-256:	1D032C34D2B4D2837CEBC1C55B3C125AA6DA73B8172AA4506F4FAF90AA7794C3
SHA-512:	E4B5F9A104B7145FDF7CF1EB737CF2CA05D17959BEF922C47E2F0B4951ADDE4A9476F6A7DE7F6196AA0BF40B9886D6C1117755D111DEDCC8EAFCAED0878E0600
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.928646222344899
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakN69t:8S+OfJQPUFpOdwNIOdYVjvYcXaNLRS8P
MD5:	EE8B6075043F5114736EF290218DB918
SHA1:	0605603A8B875C56F258519FE30C69D7C2381CF0
SHA-256:	1D032C34D2B4D2837CEBC1C55B3C125AA6DA73B8172AA4506F4FAF90AA7794C3
SHA-512:	E4B5F9A104B7145FDF7CF1EB737CF2CA05D17959BEF922C47E2F0B4951ADDE4A9476F6A7DE7F6196AA0BF40B9886D6C1117755D111DEDCC8EAFCAED0878E0600
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07329664173245805
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiqX:DLhesh7Owd4+jiq
MD5:	84ADBCFAF1F29E4D99B6A8AEDC2F46C2
SHA1:	8145B799BCDA56BF9620DA5297C463A5881B3C23
SHA-256:	967821B98799ABBEBB047E3DF377D825792A8E9E45D18B63D8312651CAFFC194
SHA-512:	C0D03588DB2BD682725A7C64CF7AC606C8C8C375FCB3249151403E39A1BAA3C5307AE51BC80A40043B0CD41EC7004665968728D95C35B837A0F585BD9550C623
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035577876577226504
Encrypted:	false
SSDEEP:	3:GtlstFffNNir7X4fitHYlstFffNNir7X4fi1lD89//alEl:GtWt7Nnfe4Wt7NnfGZ89XuM
MD5:	1D1D7193DB88CF98732543CFB2C78CA6
SHA1:	9780C92F205F2FA86DDE8A89EBBE7EC0C9193632
SHA-256:	82CB0FE0E5A82F151D19DF9288467D5EE003C08567C914D594D192710ED4D127
SHA-512:	A803B966DCEAF7384B321BB1E34BFB0A9CA82E866792CE64E97A99EAE483A5EB25511083B1E6CDE67F46EF065A0CF877F25596607D410328179664F3B096E85F
Malicious:	false
Preview:	..-......................@P..oh...&.N.Tr..G.......-......................@P..oh...&.N.Tr..G.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03987425719201705
Encrypted:	false
SSDEEP:	3:Ol13+hxXkottIUrX3/hrl8rEXsxdwhml8XW3R2:KBsOErl8dMhm93w
MD5:	05D196A520BA5B3A8210D029F397AA1E
SHA1:	8D95F4DEC93E598ED106855C02FE54CF1A9B9FD6
SHA-256:	FF771989145CE98EDDF24D54F9E826CDCFACB86F80204D6509F8EDF16E4F45C6
SHA-512:	7BD449F1F55C0E52BD9A983FACC3DA53E337588C79920B796D08EB785C734A2E4276A023724B96ADB1B6E516CAACE6959634E26F2B81DFF0F3AD85D6202F0AD0
Malicious:	false
Preview:	7....-............&.N.Tr.."..............&.N.Tr.P@..ho.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	modified
Size (bytes):	13254
Entropy (8bit):	5.496877671644474
Encrypted:	false
SSDEEP:	192:x0D9gx0AlEnaRtLYbBp63hj4qyaaX26K0KNxd5RfGNBw8dbSl:9eVqGjGXcw80
MD5:	AA02674B2A9546050B5EFA01AA316AD0
SHA1:	77D52296F2A36AE5AAB3A7218F06D6C92B5CB3CC
SHA-256:	27F45DE28D0F7F23EA5EB019515F8047279F354F72E7393276FB1BD26887D15A
SHA-512:	244C2F9A124A0F2D53722BEAD3F1F45EDEC6285B651DED2400F55FD6F2AD573E20BFA2035240CED078FC02B659930FEBEA0E74BA35D4D07F34151AE55109C2AD
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728559853);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728559853);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728559853);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172855

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.496877671644474
Encrypted:	false
SSDEEP:	192:x0D9gx0AlEnaRtLYbBp63hj4qyaaX26K0KNxd5RfGNBw8dbSl:9eVqGjGXcw80
MD5:	AA02674B2A9546050B5EFA01AA316AD0
SHA1:	77D52296F2A36AE5AAB3A7218F06D6C92B5CB3CC
SHA-256:	27F45DE28D0F7F23EA5EB019515F8047279F354F72E7393276FB1BD26887D15A
SHA-512:	244C2F9A124A0F2D53722BEAD3F1F45EDEC6285B651DED2400F55FD6F2AD573E20BFA2035240CED078FC02B659930FEBEA0E74BA35D4D07F34151AE55109C2AD
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728559853);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728559853);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728559853);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172855

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	6.354767907018228
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSKDXLXnIga/pnxQwRls6ZspHc7GH3j6xiM2UtdL7QH2oXpTurD/I0DO:cpOxNXqnRTZY8KGxH2UDkpTgwcR4
MD5:	F20C4B373D89904BAFF7283B8262E6BA
SHA1:	123193217CA4AFC23C385261D64A898DA827D876
SHA-256:	48891DF1431AAD0C63BAEBCE728F3D62F78C0E0D399E12A158D5C30D392F37D8
SHA-512:	7B4EC14AB4A0655D29BD49DC67611985EA392630599EF16EB18E88B94D4659438D1080A8128C9D0101C2D1CE1714A821AFF61347FCDA73AE307469AAD30A2794
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{2b9628af-72e3-4cf8-a31c-76efaaf0a6f3}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728559858641,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate...2,"startTim..P22998...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...29434,"originA..

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	6.354767907018228
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSKDXLXnIga/pnxQwRls6ZspHc7GH3j6xiM2UtdL7QH2oXpTurD/I0DO:cpOxNXqnRTZY8KGxH2UDkpTgwcR4
MD5:	F20C4B373D89904BAFF7283B8262E6BA
SHA1:	123193217CA4AFC23C385261D64A898DA827D876
SHA-256:	48891DF1431AAD0C63BAEBCE728F3D62F78C0E0D399E12A158D5C30D392F37D8
SHA-512:	7B4EC14AB4A0655D29BD49DC67611985EA392630599EF16EB18E88B94D4659438D1080A8128C9D0101C2D1CE1714A821AFF61347FCDA73AE307469AAD30A2794
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{2b9628af-72e3-4cf8-a31c-76efaaf0a6f3}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728559858641,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate...2,"startTim..P22998...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...29434,"originA..

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	6.354767907018228
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSKDXLXnIga/pnxQwRls6ZspHc7GH3j6xiM2UtdL7QH2oXpTurD/I0DO:cpOxNXqnRTZY8KGxH2UDkpTgwcR4
MD5:	F20C4B373D89904BAFF7283B8262E6BA
SHA1:	123193217CA4AFC23C385261D64A898DA827D876
SHA-256:	48891DF1431AAD0C63BAEBCE728F3D62F78C0E0D399E12A158D5C30D392F37D8
SHA-512:	7B4EC14AB4A0655D29BD49DC67611985EA392630599EF16EB18E88B94D4659438D1080A8128C9D0101C2D1CE1714A821AFF61347FCDA73AE307469AAD30A2794
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{2b9628af-72e3-4cf8-a31c-76efaaf0a6f3}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728559858641,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate...2,"startTim..P22998...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...29434,"originA..

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.032401549330296
Encrypted:	false
SSDEEP:	48:YrSAYg6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycgyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	7519B2955998D18A16BF0BE97345EB16
SHA1:	327A1E6630BE361BAFC1FC6FA52A5383C6BB185E
SHA-256:	B05F00AC3D22FFB626E398DC33213410FEC070FB3370C0F142DF1FF85E55F799
SHA-512:	8B63AC240233FCB43496C094E4251B6992A12407DC84F93B89D29F6095C3C9DCE0064FE3BC7AEC7A4DF2508A666222D5C6762502A5D7E21B2702377898024022
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-10T11:30:41.500Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.032401549330296
Encrypted:	false
SSDEEP:	48:YrSAYg6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycgyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	7519B2955998D18A16BF0BE97345EB16
SHA1:	327A1E6630BE361BAFC1FC6FA52A5383C6BB185E
SHA-256:	B05F00AC3D22FFB626E398DC33213410FEC070FB3370C0F142DF1FF85E55F799
SHA-512:	8B63AC240233FCB43496C094E4251B6992A12407DC84F93B89D29F6095C3C9DCE0064FE3BC7AEC7A4DF2508A666222D5C6762502A5D7E21B2702377898024022
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-10T11:30:41.500Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584675470963352
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	8cb76a38da8b77222f850a12a23be3d2
SHA1:	6c36de21d0cc3a1c67b12793dbe3d7756baeb37f
SHA256:	de2b5639497759238a59d9dad853eec24e89652b15ca26125f549edc5b1dd92d
SHA512:	2f6391f9be8b7863a7ff07dc2ef34c051fa452fc4588bdff933ad07c8d1d9479290f05ff8023ba476b347c7c7c38e2911acff64033a48bf4b988b18f63c88e03
SSDEEP:	12288:9qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Tw:9qDEvCTbMWu7rQYlBQcBiT6rprG8abw
TLSH:	37159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6707A0A0 [Thu Oct 10 09:38:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FEF00C33873h
jmp 00007FEF00C3317Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FEF00C3335Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FEF00C3332Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FEF00C35F1Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FEF00C35F68h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FEF00C35F51h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	123d1fba737a4a8b74194a21b54eb2c7	False	0.31561511075949367	data	5.373584925919959	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 10, 2024 11:41:13.562824011 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 10, 2024 11:41:13.562870026 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 10, 2024 11:41:13.575129986 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 10, 2024 11:41:13.581748009 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 10, 2024 11:41:13.581783056 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 10, 2024 11:41:14.060647011 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 10, 2024 11:41:14.060666084 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 10, 2024 11:41:14.060969114 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 10, 2024 11:41:14.069236040 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 10, 2024 11:41:14.069236040 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 10, 2024 11:41:14.069252968 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 10, 2024 11:41:14.069521904 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 10, 2024 11:41:14.069953918 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 10, 2024 11:41:15.929115057 CEST	49738	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:15.934093952 CEST	80	49738	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:15.945297003 CEST	49738	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:15.945493937 CEST	49738	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:15.950412035 CEST	80	49738	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:16.173662901 CEST	49739	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:16.173724890 CEST	443	49739	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:16.176758051 CEST	49740	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:16.176783085 CEST	443	49740	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:16.183605909 CEST	49739	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:16.183617115 CEST	49740	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:16.185415983 CEST	49739	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:16.185451984 CEST	443	49739	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:16.186547041 CEST	49740	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:16.186558962 CEST	443	49740	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:16.405633926 CEST	80	49738	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:16.446525097 CEST	49738	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:16.534065962 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:16.534116983 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:16.534626007 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:16.535814047 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:16.535849094 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:16.775831938 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:16.775878906 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:16.776247978 CEST	49743	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:16.776316881 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:16.777611017 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:16.777640104 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:16.781522036 CEST	80	49743	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:16.785229921 CEST	49743	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:16.785614967 CEST	49743	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:16.788831949 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:16.788866043 CEST	443	49744	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:16.790572882 CEST	80	49743	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:16.795443058 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:16.795614958 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:16.795629978 CEST	443	49744	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:16.827771902 CEST	443	49739	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:16.827790976 CEST	443	49739	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:16.829217911 CEST	443	49739	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:16.832206964 CEST	49739	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:16.832242012 CEST	443	49739	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:16.832552910 CEST	443	49740	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:16.832583904 CEST	443	49740	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:16.835081100 CEST	443	49740	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:16.835170031 CEST	49739	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:16.835226059 CEST	49740	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:16.835236073 CEST	443	49740	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:16.839589119 CEST	49739	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:16.839605093 CEST	443	49739	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:16.839773893 CEST	49739	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:16.839826107 CEST	443	49739	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:16.840518951 CEST	49739	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:16.840890884 CEST	49740	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:16.840900898 CEST	443	49740	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:16.840974092 CEST	49740	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:16.841238976 CEST	49745	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:16.841245890 CEST	443	49740	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:16.841280937 CEST	443	49745	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:16.844693899 CEST	49745	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:16.844786882 CEST	49740	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:16.845827103 CEST	49745	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:16.845843077 CEST	443	49745	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:17.003895998 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:17.004944086 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.007467985 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 10, 2024 11:41:17.007518053 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 10, 2024 11:41:17.008884907 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.008903980 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:17.008984089 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.009257078 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.009288073 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:17.009324074 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 10, 2024 11:41:17.009329081 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:17.009504080 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 10, 2024 11:41:17.009516001 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 10, 2024 11:41:17.009567976 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.009599924 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.010780096 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.010812998 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:17.228250027 CEST	80	49743	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:17.246994972 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:17.251436949 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:17.260250092 CEST	443	49744	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:17.260267019 CEST	443	49744	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:17.263277054 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.263277054 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:17.283631086 CEST	49743	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:17.323941946 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:17.324558020 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:17.324578047 CEST	443	49744	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:17.325637102 CEST	443	49744	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:17.344214916 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.344229937 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:17.344396114 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.344494104 CEST	443	49742	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:17.352298975 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.352384090 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:17.352618933 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:17.352694988 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:17.353055000 CEST	443	49744	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:17.353502989 CEST	49742	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.353570938 CEST	49744	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:17.353693008 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.354969025 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.355005026 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:17.484453917 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:17.485604048 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.502439022 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.502439022 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.502497911 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:17.502859116 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:17.503864050 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.505940914 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 10, 2024 11:41:17.505989075 CEST	443	49745	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:17.508505106 CEST	443	49745	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:17.515417099 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 10, 2024 11:41:17.518759966 CEST	49743	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:17.519412994 CEST	49738	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:17.520962954 CEST	49745	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:17.520988941 CEST	443	49745	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:17.521097898 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 10, 2024 11:41:17.523536921 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 10, 2024 11:41:17.523591042 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 10, 2024 11:41:17.524060011 CEST	80	49743	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:17.524599075 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 10, 2024 11:41:17.524842978 CEST	80	49738	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:17.525829077 CEST	49743	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:17.525971889 CEST	49738	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:17.529072046 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 10, 2024 11:41:17.529158115 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 10, 2024 11:41:17.529506922 CEST	443	49747	34.160.144.191	192.168.2.4
Oct 10, 2024 11:41:17.529515028 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 10, 2024 11:41:17.529614925 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 10, 2024 11:41:17.530179977 CEST	49745	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:17.530209064 CEST	443	49745	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:17.530251026 CEST	49745	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:17.530700922 CEST	443	49745	142.250.186.46	192.168.2.4
Oct 10, 2024 11:41:17.536848068 CEST	49747	443	192.168.2.4	34.160.144.191
Oct 10, 2024 11:41:17.536874056 CEST	49745	443	192.168.2.4	142.250.186.46
Oct 10, 2024 11:41:17.537036896 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 10, 2024 11:41:17.537067890 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 10, 2024 11:41:17.537075043 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 10, 2024 11:41:17.563407898 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:17.568341017 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:17.571417093 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:17.571568012 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:17.576736927 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:17.818913937 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:17.820589066 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.824755907 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.824784994 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:17.824841022 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.825218916 CEST	443	49749	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:17.827346087 CEST	49749	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.991373062 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.991461992 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:17.997811079 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.999876022 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:17.999902010 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:18.004204988 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 10, 2024 11:41:18.004223108 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 10, 2024 11:41:18.013459921 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 10, 2024 11:41:18.017323017 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:18.019593954 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 10, 2024 11:41:18.019664049 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 10, 2024 11:41:18.020510912 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 10, 2024 11:41:18.023730040 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 10, 2024 11:41:18.023803949 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 10, 2024 11:41:18.024152040 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 10, 2024 11:41:18.025764942 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 10, 2024 11:41:18.025811911 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 10, 2024 11:41:18.066728115 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:18.427711964 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:18.433172941 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:18.436711073 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:18.436964035 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:18.442142010 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:18.481659889 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:18.483669043 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:18.496720076 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:18.496741056 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:18.496773958 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:18.496963978 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:18.497185946 CEST	49755	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:18.497275114 CEST	443	49755	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:18.497344017 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:18.499166965 CEST	49755	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:18.500684023 CEST	49755	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:18.500720024 CEST	443	49755	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:18.649425030 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:18.654797077 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:18.744667053 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:18.750956059 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:18.759891033 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:18.764841080 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:18.765924931 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:18.766053915 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:18.771301031 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:18.799316883 CEST	80	49754	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:18.800005913 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:18.800044060 CEST	49754	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:18.806157112 CEST	49758	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:18.806180000 CEST	443	49758	34.107.243.93	192.168.2.4
Oct 10, 2024 11:41:18.806780100 CEST	49758	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:18.808267117 CEST	49758	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:18.808279037 CEST	443	49758	34.107.243.93	192.168.2.4
Oct 10, 2024 11:41:18.968764067 CEST	443	49755	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:18.968868971 CEST	49755	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:18.974020958 CEST	49755	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:18.974037886 CEST	443	49755	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:18.974133015 CEST	49755	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:18.974304914 CEST	443	49755	34.117.188.166	192.168.2.4
Oct 10, 2024 11:41:18.974594116 CEST	49755	443	192.168.2.4	34.117.188.166
Oct 10, 2024 11:41:19.211127996 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:19.254584074 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:19.295224905 CEST	443	49758	34.107.243.93	192.168.2.4
Oct 10, 2024 11:41:19.295325041 CEST	49758	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:19.299873114 CEST	49758	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:19.299873114 CEST	49758	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:19.299891949 CEST	443	49758	34.107.243.93	192.168.2.4
Oct 10, 2024 11:41:19.300057888 CEST	443	49758	34.107.243.93	192.168.2.4
Oct 10, 2024 11:41:19.300410986 CEST	49758	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:21.684506893 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:21.689352036 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:21.693881035 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:21.693917990 CEST	443	49759	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:21.696707964 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:21.698678017 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:21.698690891 CEST	443	49759	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:21.779006004 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:21.844898939 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:21.925028086 CEST	49760	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:21.925144911 CEST	443	49760	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:21.925878048 CEST	49760	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:21.926049948 CEST	49760	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:21.926093102 CEST	443	49760	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:22.176474094 CEST	443	49759	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:22.176836967 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:22.184087038 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:22.184099913 CEST	443	49759	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:22.184227943 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:22.184376001 CEST	443	49759	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:22.199254990 CEST	49759	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:22.480416059 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:22.485241890 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:22.574882984 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:22.602339029 CEST	443	49760	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:22.604902983 CEST	49760	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:22.607111931 CEST	49760	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:22.607142925 CEST	443	49760	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:22.607949972 CEST	443	49760	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:22.610317945 CEST	49760	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:22.610404015 CEST	49760	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:22.610681057 CEST	443	49760	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:22.612711906 CEST	49760	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:22.612711906 CEST	49760	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:22.628320932 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:22.922930956 CEST	49761	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:22.922959089 CEST	443	49761	34.149.100.209	192.168.2.4
Oct 10, 2024 11:41:22.923067093 CEST	49761	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:22.924397945 CEST	49761	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:22.924412012 CEST	443	49761	34.149.100.209	192.168.2.4
Oct 10, 2024 11:41:23.406789064 CEST	443	49761	34.149.100.209	192.168.2.4
Oct 10, 2024 11:41:23.406867027 CEST	49761	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:23.410962105 CEST	49761	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:23.410969019 CEST	443	49761	34.149.100.209	192.168.2.4
Oct 10, 2024 11:41:23.411047935 CEST	49761	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:23.411220074 CEST	443	49761	34.149.100.209	192.168.2.4
Oct 10, 2024 11:41:23.411263943 CEST	49761	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:26.308756113 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:26.313659906 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:26.404244900 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:26.455269098 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:26.474534035 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:26.474620104 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:26.474838972 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:26.476869106 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:26.476903915 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:26.589299917 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:26.589368105 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:26.594212055 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:26.594347000 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:26.683607101 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:26.683749914 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:26.724919081 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:26.726299047 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:26.943521023 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:26.946796894 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:27.361654997 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:27.361654997 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:27.361742020 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:27.362411022 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:27.362617016 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:27.444581032 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:27.444614887 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:27.445276976 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:27.445286989 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:27.450212955 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:27.450402021 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:27.450402021 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:27.450428963 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:27.450495958 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:27.450505018 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:27.509875059 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:27.510369062 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:27.512685061 CEST	49771	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:27.512706995 CEST	443	49771	34.107.243.93	192.168.2.4
Oct 10, 2024 11:41:27.513161898 CEST	49771	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:27.514921904 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:27.515194893 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:27.604568958 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:27.604583979 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:27.658842087 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:27.658881903 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:27.905641079 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:27.905698061 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:27.911465883 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:27.911545038 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:28.449155092 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:28.449194908 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:28.450134039 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:28.452136040 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:28.452162981 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:28.453084946 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:28.453510046 CEST	49771	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:28.453533888 CEST	443	49771	34.107.243.93	192.168.2.4
Oct 10, 2024 11:41:28.455281019 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:28.455379963 CEST	443	49772	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:28.456501007 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:28.458231926 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:28.458268881 CEST	443	49772	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:28.459873915 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:28.459952116 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:28.460304976 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:28.460455894 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:28.460515022 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:28.460621119 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:28.460627079 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:28.460733891 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:28.551557064 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:28.556368113 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:28.645797014 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:28.699917078 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:28.911276102 CEST	443	49771	34.107.243.93	192.168.2.4
Oct 10, 2024 11:41:28.911350965 CEST	49771	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:28.940350056 CEST	443	49772	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:28.940435886 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:29.321053982 CEST	49771	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:29.321085930 CEST	443	49771	34.107.243.93	192.168.2.4
Oct 10, 2024 11:41:29.321141958 CEST	49771	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:29.321312904 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:29.321405888 CEST	443	49772	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:29.321443081 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:29.321830988 CEST	443	49771	34.107.243.93	192.168.2.4
Oct 10, 2024 11:41:29.321927071 CEST	443	49772	34.120.208.123	192.168.2.4
Oct 10, 2024 11:41:29.321944952 CEST	49771	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:29.322009087 CEST	49772	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:41:29.985852003 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:30.304146051 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:30.306499958 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:30.308962107 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:30.395534992 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:30.451292038 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:30.799705029 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:30.804630995 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:30.894296885 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:30.937601089 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:40.009177923 CEST	49773	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:40.009294033 CEST	443	49773	34.107.243.93	192.168.2.4
Oct 10, 2024 11:41:40.009490013 CEST	49773	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:40.010710001 CEST	49773	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:40.010746956 CEST	443	49773	34.107.243.93	192.168.2.4
Oct 10, 2024 11:41:40.403341055 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:40.408307076 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:40.478029966 CEST	443	49773	34.107.243.93	192.168.2.4
Oct 10, 2024 11:41:40.478121996 CEST	49773	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:40.481738091 CEST	49773	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:40.481756926 CEST	443	49773	34.107.243.93	192.168.2.4
Oct 10, 2024 11:41:40.481848001 CEST	49773	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:40.482129097 CEST	443	49773	34.107.243.93	192.168.2.4
Oct 10, 2024 11:41:40.482395887 CEST	49773	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:41:40.484146118 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:40.488931894 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:40.579121113 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:40.581851006 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:40.587929010 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:40.636604071 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:40.677675962 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:40.719816923 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:42.468360901 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:42.468425035 CEST	443	49774	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:42.471596003 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:42.471884966 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:42.471896887 CEST	443	49774	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:42.493218899 CEST	49775	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:42.493257999 CEST	443	49775	34.149.100.209	192.168.2.4
Oct 10, 2024 11:41:42.497191906 CEST	49775	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:42.497353077 CEST	49775	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:42.497370005 CEST	443	49775	34.149.100.209	192.168.2.4
Oct 10, 2024 11:41:42.500045061 CEST	49776	443	192.168.2.4	52.222.236.120
Oct 10, 2024 11:41:42.500075102 CEST	443	49776	52.222.236.120	192.168.2.4
Oct 10, 2024 11:41:42.500375032 CEST	49777	443	192.168.2.4	35.190.72.216
Oct 10, 2024 11:41:42.500422001 CEST	443	49777	35.190.72.216	192.168.2.4
Oct 10, 2024 11:41:42.507857084 CEST	49776	443	192.168.2.4	52.222.236.120
Oct 10, 2024 11:41:42.508011103 CEST	49776	443	192.168.2.4	52.222.236.120
Oct 10, 2024 11:41:42.508012056 CEST	49777	443	192.168.2.4	35.190.72.216
Oct 10, 2024 11:41:42.508027077 CEST	443	49776	52.222.236.120	192.168.2.4
Oct 10, 2024 11:41:42.509780884 CEST	49777	443	192.168.2.4	35.190.72.216
Oct 10, 2024 11:41:42.509798050 CEST	443	49777	35.190.72.216	192.168.2.4
Oct 10, 2024 11:41:42.517553091 CEST	49778	443	192.168.2.4	35.201.103.21
Oct 10, 2024 11:41:42.517640114 CEST	443	49778	35.201.103.21	192.168.2.4
Oct 10, 2024 11:41:42.520211935 CEST	49778	443	192.168.2.4	35.201.103.21
Oct 10, 2024 11:41:42.521397114 CEST	49778	443	192.168.2.4	35.201.103.21
Oct 10, 2024 11:41:42.521435022 CEST	443	49778	35.201.103.21	192.168.2.4
Oct 10, 2024 11:41:42.961009979 CEST	443	49775	34.149.100.209	192.168.2.4
Oct 10, 2024 11:41:42.961127996 CEST	49775	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:42.964216948 CEST	49775	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:42.964235067 CEST	443	49775	34.149.100.209	192.168.2.4
Oct 10, 2024 11:41:42.964555979 CEST	443	49775	34.149.100.209	192.168.2.4
Oct 10, 2024 11:41:42.965065002 CEST	443	49777	35.190.72.216	192.168.2.4
Oct 10, 2024 11:41:42.965076923 CEST	443	49777	35.190.72.216	192.168.2.4
Oct 10, 2024 11:41:42.965130091 CEST	49777	443	192.168.2.4	35.190.72.216
Oct 10, 2024 11:41:42.967860937 CEST	49775	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:42.967955112 CEST	49775	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:42.968029022 CEST	443	49775	34.149.100.209	192.168.2.4
Oct 10, 2024 11:41:42.968774080 CEST	443	49774	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:42.969243050 CEST	49777	443	192.168.2.4	35.190.72.216
Oct 10, 2024 11:41:42.969254971 CEST	443	49777	35.190.72.216	192.168.2.4
Oct 10, 2024 11:41:42.969305992 CEST	49777	443	192.168.2.4	35.190.72.216
Oct 10, 2024 11:41:42.969440937 CEST	443	49777	35.190.72.216	192.168.2.4
Oct 10, 2024 11:41:42.970000982 CEST	49775	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:42.970032930 CEST	49777	443	192.168.2.4	35.190.72.216
Oct 10, 2024 11:41:42.970048904 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:42.972611904 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:42.972623110 CEST	443	49774	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:42.972839117 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:42.972942114 CEST	443	49774	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:42.977098942 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:42.977174044 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:42.977288961 CEST	443	49774	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:42.977916956 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:42.977962017 CEST	49774	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:42.996716976 CEST	443	49778	35.201.103.21	192.168.2.4
Oct 10, 2024 11:41:42.996846914 CEST	49778	443	192.168.2.4	35.201.103.21
Oct 10, 2024 11:41:43.000637054 CEST	49778	443	192.168.2.4	35.201.103.21
Oct 10, 2024 11:41:43.000637054 CEST	49778	443	192.168.2.4	35.201.103.21
Oct 10, 2024 11:41:43.000670910 CEST	443	49778	35.201.103.21	192.168.2.4
Oct 10, 2024 11:41:43.000945091 CEST	443	49778	35.201.103.21	192.168.2.4
Oct 10, 2024 11:41:43.001044035 CEST	49778	443	192.168.2.4	35.201.103.21
Oct 10, 2024 11:41:43.012104988 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:43.012176991 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 10, 2024 11:41:43.012384892 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:43.012439966 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:43.012454987 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 10, 2024 11:41:43.067941904 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:43.073646069 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:43.078522921 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:43.111088037 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:43.167923927 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:43.211456060 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:43.236145973 CEST	443	49776	52.222.236.120	192.168.2.4
Oct 10, 2024 11:41:43.236160994 CEST	443	49776	52.222.236.120	192.168.2.4
Oct 10, 2024 11:41:43.236255884 CEST	49776	443	192.168.2.4	52.222.236.120
Oct 10, 2024 11:41:43.239717960 CEST	49776	443	192.168.2.4	52.222.236.120
Oct 10, 2024 11:41:43.239746094 CEST	443	49776	52.222.236.120	192.168.2.4
Oct 10, 2024 11:41:43.240010023 CEST	443	49776	52.222.236.120	192.168.2.4
Oct 10, 2024 11:41:43.242326021 CEST	49776	443	192.168.2.4	52.222.236.120
Oct 10, 2024 11:41:43.242432117 CEST	49776	443	192.168.2.4	52.222.236.120
Oct 10, 2024 11:41:43.242453098 CEST	443	49776	52.222.236.120	192.168.2.4
Oct 10, 2024 11:41:43.242609978 CEST	49776	443	192.168.2.4	52.222.236.120
Oct 10, 2024 11:41:43.254919052 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.255004883 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:43.256659985 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.256705999 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:43.258297920 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.258306980 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.258476973 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.258495092 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:43.258692980 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.258709908 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:43.258991003 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.258997917 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:43.259849072 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:43.264775038 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:43.272346973 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.272617102 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.272629976 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:43.580579042 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:43.585735083 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:43.589728117 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 10, 2024 11:41:43.589852095 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:43.590795040 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:43.593012094 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:43.593045950 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 10, 2024 11:41:43.593386889 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 10, 2024 11:41:43.595196962 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:43.595283985 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:43.595395088 CEST	443	49779	34.149.100.209	192.168.2.4
Oct 10, 2024 11:41:43.596218109 CEST	49779	443	192.168.2.4	34.149.100.209
Oct 10, 2024 11:41:43.597735882 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:43.602593899 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:43.680083990 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:43.692526102 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:43.695285082 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:43.700077057 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:43.744031906 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:43.961687088 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:43.970243931 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:43.970325947 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.970336914 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:43.970350027 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:43.970650911 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.972686052 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.972702980 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:43.972914934 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:43.974728107 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:43.974834919 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.974847078 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:43.975056887 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:43.977051020 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.977138042 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.977164984 CEST	443	49780	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:43.977346897 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.977385044 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.977456093 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:43.977638006 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.979919910 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.979924917 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:43.980665922 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:43.982597113 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.982661009 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.982907057 CEST	443	49781	35.244.181.201	192.168.2.4
Oct 10, 2024 11:41:43.985379934 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.985400915 CEST	49780	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.985411882 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.985435009 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.985446930 CEST	49781	443	192.168.2.4	35.244.181.201
Oct 10, 2024 11:41:43.986771107 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:43.991585970 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:44.013658047 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:44.081540108 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:44.084865093 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:44.089762926 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:44.129573107 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:44.179176092 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:44.229855061 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:47.837738037 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:47.842714071 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:47.932940960 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:47.935961962 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:47.940860987 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:47.987560034 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:48.030482054 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:48.087817907 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:57.952527046 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:57.957799911 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:41:58.052964926 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:41:58.057976007 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:42:00.514246941 CEST	49801	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:42:00.514314890 CEST	443	49801	34.107.243.93	192.168.2.4
Oct 10, 2024 11:42:00.514403105 CEST	49801	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:42:00.516392946 CEST	49801	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:42:00.516413927 CEST	443	49801	34.107.243.93	192.168.2.4
Oct 10, 2024 11:42:00.988059044 CEST	443	49801	34.107.243.93	192.168.2.4
Oct 10, 2024 11:42:00.988168001 CEST	49801	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:42:00.991756916 CEST	49801	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:42:00.991766930 CEST	443	49801	34.107.243.93	192.168.2.4
Oct 10, 2024 11:42:00.991864920 CEST	49801	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:42:00.992147923 CEST	443	49801	34.107.243.93	192.168.2.4
Oct 10, 2024 11:42:00.992197990 CEST	49801	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:42:00.994595051 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:42:00.999520063 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:42:01.089049101 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:42:01.093766928 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:42:01.098627090 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:42:01.139782906 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:42:01.188515902 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:42:01.240114927 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:42:11.088922977 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:42:11.094094038 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:42:11.189346075 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:42:11.194339991 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:42:12.510358095 CEST	49879	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.510415077 CEST	443	49879	34.120.208.123	192.168.2.4
Oct 10, 2024 11:42:12.510566950 CEST	49880	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.510587931 CEST	443	49880	34.120.208.123	192.168.2.4
Oct 10, 2024 11:42:12.510958910 CEST	49880	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.510967970 CEST	49879	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.511060953 CEST	49879	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.511076927 CEST	443	49879	34.120.208.123	192.168.2.4
Oct 10, 2024 11:42:12.511161089 CEST	49880	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.511172056 CEST	443	49880	34.120.208.123	192.168.2.4
Oct 10, 2024 11:42:12.525904894 CEST	49881	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.525943995 CEST	443	49881	34.120.208.123	192.168.2.4
Oct 10, 2024 11:42:12.526789904 CEST	49881	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.526921988 CEST	49881	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.526937962 CEST	443	49881	34.120.208.123	192.168.2.4
Oct 10, 2024 11:42:12.964056015 CEST	443	49879	34.120.208.123	192.168.2.4
Oct 10, 2024 11:42:12.964133978 CEST	49879	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.967220068 CEST	49879	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.967245102 CEST	443	49879	34.120.208.123	192.168.2.4
Oct 10, 2024 11:42:12.967616081 CEST	443	49879	34.120.208.123	192.168.2.4
Oct 10, 2024 11:42:12.969804049 CEST	49879	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.969918966 CEST	49879	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.969938040 CEST	443	49879	34.120.208.123	192.168.2.4
Oct 10, 2024 11:42:12.970069885 CEST	49879	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.984271049 CEST	443	49881	34.120.208.123	192.168.2.4
Oct 10, 2024 11:42:12.985219955 CEST	49881	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.987776041 CEST	49881	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.987785101 CEST	443	49881	34.120.208.123	192.168.2.4
Oct 10, 2024 11:42:12.988010883 CEST	443	49881	34.120.208.123	192.168.2.4
Oct 10, 2024 11:42:12.989914894 CEST	49881	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.989990950 CEST	49881	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.990034103 CEST	443	49881	34.120.208.123	192.168.2.4
Oct 10, 2024 11:42:12.994617939 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:42:12.995399952 CEST	443	49881	34.120.208.123	192.168.2.4
Oct 10, 2024 11:42:12.997246027 CEST	49881	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.997260094 CEST	49881	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.997260094 CEST	49881	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:12.999522924 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:42:13.000313044 CEST	443	49880	34.120.208.123	192.168.2.4
Oct 10, 2024 11:42:13.004614115 CEST	49880	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:13.007040977 CEST	49880	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:13.007047892 CEST	443	49880	34.120.208.123	192.168.2.4
Oct 10, 2024 11:42:13.007277012 CEST	443	49880	34.120.208.123	192.168.2.4
Oct 10, 2024 11:42:13.009490967 CEST	49880	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:13.009576082 CEST	49880	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:13.009618044 CEST	443	49880	34.120.208.123	192.168.2.4
Oct 10, 2024 11:42:13.009675026 CEST	49880	443	192.168.2.4	34.120.208.123
Oct 10, 2024 11:42:13.089234114 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:42:13.096836090 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:42:13.101802111 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:42:13.135355949 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:42:13.191195011 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:42:13.235836983 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:42:23.096312046 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:42:23.101139069 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:42:23.196643114 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:42:23.201488972 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:42:33.104852915 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:42:33.109772921 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:42:33.205179930 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:42:33.210093975 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:42:41.007643938 CEST	50057	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:42:41.007734060 CEST	443	50057	34.107.243.93	192.168.2.4
Oct 10, 2024 11:42:41.008032084 CEST	50057	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:42:41.009463072 CEST	50057	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:42:41.009502888 CEST	443	50057	34.107.243.93	192.168.2.4
Oct 10, 2024 11:42:41.484879971 CEST	443	50057	34.107.243.93	192.168.2.4
Oct 10, 2024 11:42:41.485069036 CEST	50057	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:42:41.489486933 CEST	50057	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:42:41.489500999 CEST	443	50057	34.107.243.93	192.168.2.4
Oct 10, 2024 11:42:41.489576101 CEST	50057	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:42:41.489727020 CEST	443	50057	34.107.243.93	192.168.2.4
Oct 10, 2024 11:42:41.490396976 CEST	50057	443	192.168.2.4	34.107.243.93
Oct 10, 2024 11:42:41.492160082 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:42:41.498971939 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:42:41.586576939 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:42:41.589926958 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:42:41.595047951 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:42:41.627948046 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:42:41.684300900 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:42:41.730802059 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:42:51.594418049 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:42:51.599908113 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:42:51.694781065 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:42:51.700732946 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:43:01.611753941 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:43:01.617063999 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:43:01.711848974 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:43:01.717048883 CEST	80	49757	34.107.221.82	192.168.2.4
Oct 10, 2024 11:43:11.635504961 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:43:11.641057014 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 10, 2024 11:43:11.735676050 CEST	49757	80	192.168.2.4	34.107.221.82
Oct 10, 2024 11:43:11.742183924 CEST	80	49757	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 10, 2024 11:41:13.566736937 CEST	61251	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:13.574207067 CEST	53	61251	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:13.576092958 CEST	64398	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:13.583717108 CEST	53	64398	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:14.251153946 CEST	57535	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:15.113076925 CEST	64822	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:15.120486021 CEST	53	64822	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:15.121048927 CEST	50303	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:15.129467964 CEST	53	50303	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:16.154155016 CEST	53856	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:16.161201000 CEST	53	53856	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:16.174343109 CEST	50426	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:16.181874990 CEST	53	50426	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:16.184029102 CEST	63787	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:16.191243887 CEST	53	63787	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:16.525460958 CEST	49859	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:16.526138067 CEST	65294	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:16.532196999 CEST	53	49859	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:16.533483982 CEST	53	65294	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:16.534575939 CEST	57796	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:16.535080910 CEST	60156	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:16.542191982 CEST	53	57796	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:16.542454958 CEST	53	60156	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:16.548114061 CEST	65067	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:16.555279016 CEST	53	65067	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:16.765695095 CEST	59963	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:16.766159058 CEST	60530	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:16.773169994 CEST	53	59963	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:16.777405977 CEST	65456	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:16.784993887 CEST	53	65456	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:16.788969994 CEST	59575	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:16.796133995 CEST	60743	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:16.796255112 CEST	53	59575	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:16.800715923 CEST	61199	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:16.803344011 CEST	53	60743	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:16.807785988 CEST	53	61199	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:16.997720957 CEST	65031	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:17.004956961 CEST	53	65031	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:17.006078005 CEST	65216	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:17.013175964 CEST	53	65216	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:17.013886929 CEST	63995	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:17.021420956 CEST	53	63995	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:18.725644112 CEST	61629	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:18.763242006 CEST	53	54401	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:18.770114899 CEST	51862	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:18.776990891 CEST	53	51862	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:18.778690100 CEST	51490	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:18.785413027 CEST	53	51490	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:18.786526918 CEST	62716	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:18.793337107 CEST	53	62716	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:21.639333963 CEST	59379	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:21.646034002 CEST	53	59379	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:21.661643982 CEST	64996	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:21.669166088 CEST	53	64996	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:21.683109999 CEST	53300	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:21.690339088 CEST	53	53300	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:21.694183111 CEST	65335	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:21.701040030 CEST	53	65335	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:21.714854002 CEST	56868	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:21.721775055 CEST	53	56868	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:21.905376911 CEST	59109	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:21.907665014 CEST	55035	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:21.914565086 CEST	53	55035	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:22.913736105 CEST	59109	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:22.921176910 CEST	53	59109	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:22.923079014 CEST	58222	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:22.930131912 CEST	53	58222	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:22.930833101 CEST	56367	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:22.937896013 CEST	53	56367	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:26.310307026 CEST	59624	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:26.317748070 CEST	53	59624	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:28.446230888 CEST	65263	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:28.453758001 CEST	53	65263	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:35.736541033 CEST	54367	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:35.737066984 CEST	56954	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:35.737436056 CEST	58875	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:35.744071007 CEST	53	56954	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:35.744407892 CEST	53	54367	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:35.744486094 CEST	53	58875	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:35.744851112 CEST	50457	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:35.745810032 CEST	56627	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:35.746438980 CEST	51346	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:35.751442909 CEST	53	50457	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:35.752804041 CEST	53	56627	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:35.753058910 CEST	53	51346	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:35.756633043 CEST	51794	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:35.756820917 CEST	63642	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:35.757188082 CEST	49436	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:35.763372898 CEST	53	51794	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:35.763573885 CEST	53	63642	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:35.764014959 CEST	55486	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:35.764583111 CEST	58348	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:35.764832020 CEST	53	49436	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:35.770755053 CEST	53	55486	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:35.771152973 CEST	53	58348	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:35.771348000 CEST	51855	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:35.771789074 CEST	49953	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:35.778459072 CEST	53	51855	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:35.778721094 CEST	53	49953	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:35.778919935 CEST	57866	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:35.779241085 CEST	61621	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:35.786159039 CEST	53	61621	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:35.786398888 CEST	53	57866	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:40.009354115 CEST	60168	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:40.017368078 CEST	53	60168	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:40.484333992 CEST	65505	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:42.469505072 CEST	63771	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:42.476692915 CEST	53	63771	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:42.489751101 CEST	64174	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:42.497486115 CEST	53	64174	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:42.501048088 CEST	57988	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:42.506995916 CEST	61524	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:42.508142948 CEST	53	57988	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:42.511363029 CEST	51661	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:42.513979912 CEST	53	61524	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:42.517980099 CEST	58330	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:42.518220901 CEST	53	51661	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:42.526670933 CEST	53	58330	1.1.1.1	192.168.2.4
Oct 10, 2024 11:41:42.527163982 CEST	61654	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:41:42.534071922 CEST	53	61654	1.1.1.1	192.168.2.4
Oct 10, 2024 11:42:00.513508081 CEST	54752	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:42:00.520466089 CEST	53	54752	1.1.1.1	192.168.2.4
Oct 10, 2024 11:42:00.521821022 CEST	54857	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:42:00.528567076 CEST	53	54857	1.1.1.1	192.168.2.4
Oct 10, 2024 11:42:00.994844913 CEST	62319	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:42:12.509598970 CEST	53719	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:42:12.516865969 CEST	53	53719	1.1.1.1	192.168.2.4
Oct 10, 2024 11:42:40.998923063 CEST	62788	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:42:41.006481886 CEST	53	62788	1.1.1.1	192.168.2.4
Oct 10, 2024 11:42:41.009449959 CEST	49174	53	192.168.2.4	1.1.1.1
Oct 10, 2024 11:42:41.016647100 CEST	53	49174	1.1.1.1	192.168.2.4
Oct 10, 2024 11:42:41.492412090 CEST	64946	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 10, 2024 11:41:13.566736937 CEST	192.168.2.4	1.1.1.1	0x1285	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:13.576092958 CEST	192.168.2.4	1.1.1.1	0x4dec	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 10, 2024 11:41:14.251153946 CEST	192.168.2.4	1.1.1.1	0xbc06	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:15.113076925 CEST	192.168.2.4	1.1.1.1	0x1ada	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:15.121048927 CEST	192.168.2.4	1.1.1.1	0xa677	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 10, 2024 11:41:16.154155016 CEST	192.168.2.4	1.1.1.1	0x4425	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.174343109 CEST	192.168.2.4	1.1.1.1	0xb15b	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.184029102 CEST	192.168.2.4	1.1.1.1	0x56d7	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 10, 2024 11:41:16.525460958 CEST	192.168.2.4	1.1.1.1	0xe38b	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.526138067 CEST	192.168.2.4	1.1.1.1	0x6be8	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.534575939 CEST	192.168.2.4	1.1.1.1	0x59a1	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.535080910 CEST	192.168.2.4	1.1.1.1	0x557d	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.548114061 CEST	192.168.2.4	1.1.1.1	0xb691	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 11:41:16.765695095 CEST	192.168.2.4	1.1.1.1	0xc378	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.766159058 CEST	192.168.2.4	1.1.1.1	0x3e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.777405977 CEST	192.168.2.4	1.1.1.1	0x8170	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.788969994 CEST	192.168.2.4	1.1.1.1	0xccb7	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.796133995 CEST	192.168.2.4	1.1.1.1	0x8e5c	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 10, 2024 11:41:16.800715923 CEST	192.168.2.4	1.1.1.1	0x904e	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 10, 2024 11:41:16.997720957 CEST	192.168.2.4	1.1.1.1	0x3e7d	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:17.006078005 CEST	192.168.2.4	1.1.1.1	0x50bd	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:17.013886929 CEST	192.168.2.4	1.1.1.1	0x16b3	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 10, 2024 11:41:18.725644112 CEST	192.168.2.4	1.1.1.1	0x37b5	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:18.770114899 CEST	192.168.2.4	1.1.1.1	0xa40f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:18.778690100 CEST	192.168.2.4	1.1.1.1	0xf269	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:18.786526918 CEST	192.168.2.4	1.1.1.1	0x42f	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 11:41:21.639333963 CEST	192.168.2.4	1.1.1.1	0x4537	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:21.661643982 CEST	192.168.2.4	1.1.1.1	0xfd4c	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:21.683109999 CEST	192.168.2.4	1.1.1.1	0xa698	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 10, 2024 11:41:21.694183111 CEST	192.168.2.4	1.1.1.1	0x4706	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:21.714854002 CEST	192.168.2.4	1.1.1.1	0x37c5	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 11:41:21.905376911 CEST	192.168.2.4	1.1.1.1	0xe663	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:21.907665014 CEST	192.168.2.4	1.1.1.1	0x1625	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 10, 2024 11:41:22.913736105 CEST	192.168.2.4	1.1.1.1	0xe663	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:22.923079014 CEST	192.168.2.4	1.1.1.1	0x28	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:22.930833101 CEST	192.168.2.4	1.1.1.1	0x7892	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 10, 2024 11:41:26.310307026 CEST	192.168.2.4	1.1.1.1	0x1138	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 11:41:28.446230888 CEST	192.168.2.4	1.1.1.1	0x4024	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 11:41:35.736541033 CEST	192.168.2.4	1.1.1.1	0x3fa3	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.737066984 CEST	192.168.2.4	1.1.1.1	0xd3db	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.737436056 CEST	192.168.2.4	1.1.1.1	0x5743	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744851112 CEST	192.168.2.4	1.1.1.1	0x2852	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.745810032 CEST	192.168.2.4	1.1.1.1	0xd593	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.746438980 CEST	192.168.2.4	1.1.1.1	0xbe18	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.756633043 CEST	192.168.2.4	1.1.1.1	0xaef7	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 10, 2024 11:41:35.756820917 CEST	192.168.2.4	1.1.1.1	0xd6ab	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 10, 2024 11:41:35.757188082 CEST	192.168.2.4	1.1.1.1	0xcbce	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 10, 2024 11:41:35.764014959 CEST	192.168.2.4	1.1.1.1	0x76c	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.764583111 CEST	192.168.2.4	1.1.1.1	0xd8cd	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.771348000 CEST	192.168.2.4	1.1.1.1	0xfd4d	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.771789074 CEST	192.168.2.4	1.1.1.1	0x8dee	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.778919935 CEST	192.168.2.4	1.1.1.1	0x6fea	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 10, 2024 11:41:35.779241085 CEST	192.168.2.4	1.1.1.1	0x1cb2	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 10, 2024 11:41:40.009354115 CEST	192.168.2.4	1.1.1.1	0xae55	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 11:41:40.484333992 CEST	192.168.2.4	1.1.1.1	0x59ab	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:42.469505072 CEST	192.168.2.4	1.1.1.1	0x6e5d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 10, 2024 11:41:42.489751101 CEST	192.168.2.4	1.1.1.1	0x4619	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:42.501048088 CEST	192.168.2.4	1.1.1.1	0xd60d	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:42.506995916 CEST	192.168.2.4	1.1.1.1	0x903	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:42.511363029 CEST	192.168.2.4	1.1.1.1	0x813d	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 10, 2024 11:41:42.517980099 CEST	192.168.2.4	1.1.1.1	0xb506	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:42.527163982 CEST	192.168.2.4	1.1.1.1	0x1956	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 11:42:00.513508081 CEST	192.168.2.4	1.1.1.1	0xba0f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:42:00.521821022 CEST	192.168.2.4	1.1.1.1	0x581d	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 11:42:00.994844913 CEST	192.168.2.4	1.1.1.1	0x5902	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:42:12.509598970 CEST	192.168.2.4	1.1.1.1	0xada9	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 11:42:40.998923063 CEST	192.168.2.4	1.1.1.1	0x9928	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:42:41.009449959 CEST	192.168.2.4	1.1.1.1	0xb677	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 10, 2024 11:42:41.492412090 CEST	192.168.2.4	1.1.1.1	0x262b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 10, 2024 11:41:13.541150093 CEST	1.1.1.1	192.168.2.4	0x2c85	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:13.574207067 CEST	1.1.1.1	192.168.2.4	0x1285	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:15.111751080 CEST	1.1.1.1	192.168.2.4	0xbc06	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:41:15.111751080 CEST	1.1.1.1	192.168.2.4	0xbc06	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:15.120486021 CEST	1.1.1.1	192.168.2.4	0x1ada	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:15.129467964 CEST	1.1.1.1	192.168.2.4	0xa677	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 10, 2024 11:41:16.161201000 CEST	1.1.1.1	192.168.2.4	0x4425	No error (0)	youtube.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.181874990 CEST	1.1.1.1	192.168.2.4	0xb15b	No error (0)	youtube.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.191243887 CEST	1.1.1.1	192.168.2.4	0x56d7	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 10, 2024 11:41:16.532196999 CEST	1.1.1.1	192.168.2.4	0xe38b	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.533483982 CEST	1.1.1.1	192.168.2.4	0x6be8	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.542191982 CEST	1.1.1.1	192.168.2.4	0x59a1	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.542191982 CEST	1.1.1.1	192.168.2.4	0x59a1	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.542454958 CEST	1.1.1.1	192.168.2.4	0x557d	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.773104906 CEST	1.1.1.1	192.168.2.4	0x3e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:41:16.773104906 CEST	1.1.1.1	192.168.2.4	0x3e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.773169994 CEST	1.1.1.1	192.168.2.4	0xc378	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:41:16.773169994 CEST	1.1.1.1	192.168.2.4	0xc378	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.778151035 CEST	1.1.1.1	192.168.2.4	0x2117	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:41:16.778151035 CEST	1.1.1.1	192.168.2.4	0x2117	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.784993887 CEST	1.1.1.1	192.168.2.4	0x8170	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:16.796255112 CEST	1.1.1.1	192.168.2.4	0xccb7	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:17.004956961 CEST	1.1.1.1	192.168.2.4	0x3e7d	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:41:17.004956961 CEST	1.1.1.1	192.168.2.4	0x3e7d	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:41:17.004956961 CEST	1.1.1.1	192.168.2.4	0x3e7d	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:17.013175964 CEST	1.1.1.1	192.168.2.4	0x50bd	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:17.021420956 CEST	1.1.1.1	192.168.2.4	0x16b3	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 10, 2024 11:41:18.733719110 CEST	1.1.1.1	192.168.2.4	0x37b5	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:41:18.776990891 CEST	1.1.1.1	192.168.2.4	0xa40f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:18.785413027 CEST	1.1.1.1	192.168.2.4	0xf269	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:21.646034002 CEST	1.1.1.1	192.168.2.4	0x4537	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:41:21.646034002 CEST	1.1.1.1	192.168.2.4	0x4537	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:41:21.646034002 CEST	1.1.1.1	192.168.2.4	0x4537	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:21.669166088 CEST	1.1.1.1	192.168.2.4	0xfd4c	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:21.689488888 CEST	1.1.1.1	192.168.2.4	0x2bfe	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:21.701040030 CEST	1.1.1.1	192.168.2.4	0x4706	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:21.911822081 CEST	1.1.1.1	192.168.2.4	0xe0b3	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:41:21.911822081 CEST	1.1.1.1	192.168.2.4	0xe0b3	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:22.921176910 CEST	1.1.1.1	192.168.2.4	0xe663	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:41:22.921176910 CEST	1.1.1.1	192.168.2.4	0xe663	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:22.930131912 CEST	1.1.1.1	192.168.2.4	0x28	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:26.473124027 CEST	1.1.1.1	192.168.2.4	0x24d0	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744071007 CEST	1.1.1.1	192.168.2.4	0xd3db	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744071007 CEST	1.1.1.1	192.168.2.4	0xd3db	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744407892 CEST	1.1.1.1	192.168.2.4	0x3fa3	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744407892 CEST	1.1.1.1	192.168.2.4	0x3fa3	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744407892 CEST	1.1.1.1	192.168.2.4	0x3fa3	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744407892 CEST	1.1.1.1	192.168.2.4	0x3fa3	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744407892 CEST	1.1.1.1	192.168.2.4	0x3fa3	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744407892 CEST	1.1.1.1	192.168.2.4	0x3fa3	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744407892 CEST	1.1.1.1	192.168.2.4	0x3fa3	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744407892 CEST	1.1.1.1	192.168.2.4	0x3fa3	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744407892 CEST	1.1.1.1	192.168.2.4	0x3fa3	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744407892 CEST	1.1.1.1	192.168.2.4	0x3fa3	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744407892 CEST	1.1.1.1	192.168.2.4	0x3fa3	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744407892 CEST	1.1.1.1	192.168.2.4	0x3fa3	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744407892 CEST	1.1.1.1	192.168.2.4	0x3fa3	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744407892 CEST	1.1.1.1	192.168.2.4	0x3fa3	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744407892 CEST	1.1.1.1	192.168.2.4	0x3fa3	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744407892 CEST	1.1.1.1	192.168.2.4	0x3fa3	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744407892 CEST	1.1.1.1	192.168.2.4	0x3fa3	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744486094 CEST	1.1.1.1	192.168.2.4	0x5743	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:41:35.744486094 CEST	1.1.1.1	192.168.2.4	0x5743	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.751442909 CEST	1.1.1.1	192.168.2.4	0x2852	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.752804041 CEST	1.1.1.1	192.168.2.4	0xd593	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.752804041 CEST	1.1.1.1	192.168.2.4	0xd593	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.752804041 CEST	1.1.1.1	192.168.2.4	0xd593	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.752804041 CEST	1.1.1.1	192.168.2.4	0xd593	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.752804041 CEST	1.1.1.1	192.168.2.4	0xd593	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.752804041 CEST	1.1.1.1	192.168.2.4	0xd593	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.752804041 CEST	1.1.1.1	192.168.2.4	0xd593	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.752804041 CEST	1.1.1.1	192.168.2.4	0xd593	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.752804041 CEST	1.1.1.1	192.168.2.4	0xd593	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.752804041 CEST	1.1.1.1	192.168.2.4	0xd593	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.752804041 CEST	1.1.1.1	192.168.2.4	0xd593	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.752804041 CEST	1.1.1.1	192.168.2.4	0xd593	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.752804041 CEST	1.1.1.1	192.168.2.4	0xd593	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.752804041 CEST	1.1.1.1	192.168.2.4	0xd593	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.752804041 CEST	1.1.1.1	192.168.2.4	0xd593	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.752804041 CEST	1.1.1.1	192.168.2.4	0xd593	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.753058910 CEST	1.1.1.1	192.168.2.4	0xbe18	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.763372898 CEST	1.1.1.1	192.168.2.4	0xaef7	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 10, 2024 11:41:35.763573885 CEST	1.1.1.1	192.168.2.4	0xd6ab	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 10, 2024 11:41:35.763573885 CEST	1.1.1.1	192.168.2.4	0xd6ab	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 10, 2024 11:41:35.763573885 CEST	1.1.1.1	192.168.2.4	0xd6ab	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 10, 2024 11:41:35.763573885 CEST	1.1.1.1	192.168.2.4	0xd6ab	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 10, 2024 11:41:35.764832020 CEST	1.1.1.1	192.168.2.4	0xcbce	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 10, 2024 11:41:35.770755053 CEST	1.1.1.1	192.168.2.4	0x76c	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:41:35.770755053 CEST	1.1.1.1	192.168.2.4	0x76c	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.770755053 CEST	1.1.1.1	192.168.2.4	0x76c	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.770755053 CEST	1.1.1.1	192.168.2.4	0x76c	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.770755053 CEST	1.1.1.1	192.168.2.4	0x76c	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.771152973 CEST	1.1.1.1	192.168.2.4	0xd8cd	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.778459072 CEST	1.1.1.1	192.168.2.4	0xfd4d	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.778459072 CEST	1.1.1.1	192.168.2.4	0xfd4d	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.778459072 CEST	1.1.1.1	192.168.2.4	0xfd4d	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.778459072 CEST	1.1.1.1	192.168.2.4	0xfd4d	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:35.778721094 CEST	1.1.1.1	192.168.2.4	0x8dee	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:40.491185904 CEST	1.1.1.1	192.168.2.4	0x59ab	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:41:40.491185904 CEST	1.1.1.1	192.168.2.4	0x59ab	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:42.497486115 CEST	1.1.1.1	192.168.2.4	0x4619	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:42.497486115 CEST	1.1.1.1	192.168.2.4	0x4619	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:42.497486115 CEST	1.1.1.1	192.168.2.4	0x4619	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:42.497486115 CEST	1.1.1.1	192.168.2.4	0x4619	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:42.508142948 CEST	1.1.1.1	192.168.2.4	0xd60d	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:42.508142948 CEST	1.1.1.1	192.168.2.4	0xd60d	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:42.508142948 CEST	1.1.1.1	192.168.2.4	0xd60d	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:42.508142948 CEST	1.1.1.1	192.168.2.4	0xd60d	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:42.513979912 CEST	1.1.1.1	192.168.2.4	0x903	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:41:42.513979912 CEST	1.1.1.1	192.168.2.4	0x903	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:42.526670933 CEST	1.1.1.1	192.168.2.4	0xb506	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:41:43.999080896 CEST	1.1.1.1	192.168.2.4	0x7974	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:41:43.999080896 CEST	1.1.1.1	192.168.2.4	0x7974	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:42:00.520466089 CEST	1.1.1.1	192.168.2.4	0xba0f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:42:01.001795053 CEST	1.1.1.1	192.168.2.4	0x5902	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:42:01.001795053 CEST	1.1.1.1	192.168.2.4	0x5902	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:42:12.501126051 CEST	1.1.1.1	192.168.2.4	0x4125	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:42:41.006481886 CEST	1.1.1.1	192.168.2.4	0x9928	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 10, 2024 11:42:41.500225067 CEST	1.1.1.1	192.168.2.4	0x262b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 11:42:41.500225067 CEST	1.1.1.1	192.168.2.4	0x262b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	34.107.221.82	80	3220	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 10, 2024 11:41:15.945493937 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 11:41:16.405633926 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 10:01:05 GMT Age: 85211 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49743	34.107.221.82	80	3220	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 10, 2024 11:41:16.785614967 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 11:41:17.228250027 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 09 Oct 2024 20:22:55 GMT Age: 47902 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49751	34.107.221.82	80	3220	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 10, 2024 11:41:17.571568012 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 11:41:18.017323017 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 10:01:05 GMT Age: 85212 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 11:41:18.649425030 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 11:41:18.744667053 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 10:01:05 GMT Age: 85213 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 11:41:21.684506893 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 11:41:21.779006004 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 10:01:05 GMT Age: 85216 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 11:41:26.308756113 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 11:41:26.404244900 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 10:01:05 GMT Age: 85221 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 11:41:26.589299917 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 11:41:26.683749914 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 10:01:05 GMT Age: 85221 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 11:41:27.510369062 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 11:41:27.604583979 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 10:01:05 GMT Age: 85222 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 11:41:29.985852003 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 11:41:30.304146051 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 11:41:30.395534992 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 10:01:05 GMT Age: 85225 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 11:41:40.403341055 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 11:41:40.484146118 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 11:41:40.579121113 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 10:01:05 GMT Age: 85235 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 11:41:42.972839117 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 11:41:43.067941904 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 10:01:05 GMT Age: 85238 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 11:41:43.259849072 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 11:41:43.580579042 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 10:01:05 GMT Age: 85238 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 11:41:43.597735882 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 11:41:43.692526102 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 10:01:05 GMT Age: 85238 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 11:41:43.986771107 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 11:41:44.081540108 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 10:01:05 GMT Age: 85239 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 11:41:47.837738037 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 11:41:47.932940960 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 10:01:05 GMT Age: 85242 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 11:41:57.952527046 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 11:42:00.994595051 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 11:42:01.089049101 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 10:01:05 GMT Age: 85256 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 11:42:11.088922977 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 11:42:12.994617939 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 11:42:13.089234114 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 10:01:05 GMT Age: 85268 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 11:42:23.096312046 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 11:42:33.104852915 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 11:42:41.492160082 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 10, 2024 11:42:41.586576939 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 09 Oct 2024 10:01:05 GMT Age: 85296 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 10, 2024 11:42:51.594418049 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 11:43:01.611753941 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 11:43:11.635504961 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49754	34.107.221.82	80	3220	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 10, 2024 11:41:18.436964035 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49757	34.107.221.82	80	3220	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 10, 2024 11:41:18.766053915 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 11:41:19.211127996 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 16235 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 11:41:22.480416059 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 11:41:22.574882984 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 16238 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 11:41:26.589368105 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 11:41:26.683607101 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 16242 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 11:41:27.509875059 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 11:41:27.604568958 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 16243 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 11:41:28.551557064 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 11:41:28.645797014 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 16244 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 11:41:30.799705029 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 11:41:30.894296885 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 16246 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 11:41:40.581851006 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 11:41:40.677675962 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 16256 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 11:41:43.073646069 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 11:41:43.167923927 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 16259 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 11:41:43.585735083 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 11:41:43.680083990 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 16259 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 11:41:43.695285082 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 11:41:43.961687088 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 16259 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 11:41:44.084865093 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 11:41:44.179176092 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 16260 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 11:41:47.935961962 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 11:41:48.030482054 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 16263 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 11:41:58.052964926 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 11:42:01.093766928 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 11:42:01.188515902 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 16277 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 11:42:11.189346075 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 11:42:13.096836090 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 11:42:13.191195011 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 16289 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 11:42:23.196643114 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 11:42:33.205179930 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 11:42:41.589926958 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 10, 2024 11:42:41.684300900 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 10 Oct 2024 05:10:44 GMT Age: 16317 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 10, 2024 11:42:51.694781065 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 11:43:01.711848974 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 10, 2024 11:43:11.735676050 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	05:41:06
Start date:	10/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x9b0000
File size:	919'552 bytes
MD5 hash:	8CB76A38DA8B77222F850A12A23BE3D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:41:06
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xfe0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:41:06
Start date:	10/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:41:09
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xfe0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:41:09
Start date:	10/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:41:09
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xfe0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:41:09
Start date:	10/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:41:09
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xfe0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:41:09
Start date:	10/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:41:09
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xfe0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:41:09
Start date:	10/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:41:10
Start date:	10/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff7699e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:41:10
Start date:	10/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:41:10
Start date:	10/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	05:41:11
Start date:	10/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2320 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0eaedab3-4b51-4b12-9051-af95aa17859e} 3220 "\\.\pipe\gecko-crash-server-pipe.3220" 1df53c6f310 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	05:41:13
Start date:	10/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3940 -parentBuildID 20230927232528 -prefsHandle 3964 -prefMapHandle 3960 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4719529b-836d-4975-a581-e10641ea7f9d} 3220 "\\.\pipe\gecko-crash-server-pipe.3220" 1df65da5310 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	05:41:21
Start date:	10/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5328 -prefMapHandle 2640 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ac80dba-0188-4f1b-b01b-50611a6dda15} 3220 "\\.\pipe\gecko-crash-server-pipe.3220" 1df6ea1e110 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	1585
Total number of Limit Nodes:	58

Executed Functions

Function 009B42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 009B430D

Part of subcall function 009B6B57: _wcslen.LIBCMT ref: 009B6B6A

GetCurrentProcess.KERNEL32(?,00A4CB64,00000000,?,?), ref: 009B4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 009B4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 009B4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 009B4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 009B4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 009B447B
GetSystemInfo.KERNEL32(?,?,?), ref: 009B44A0

Strings

|O, xrefs: 009F36F8
kernel32.dll, xrefs: 009B444F
GetNativeSystemInfo, xrefs: 009B4460

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: bceb991f828d845bff5f15857a479dc3aff4efed92501e529632ccd0dd7d4e70
Instruction ID: 544a0d0cb687f4b42b50ab9728d1fd37a8a5d1d4beb0470e42e1dfa5b03386ad
Opcode Fuzzy Hash: bceb991f828d845bff5f15857a479dc3aff4efed92501e529632ccd0dd7d4e70
Instruction Fuzzy Hash: C8A1E47590E2C4DFC792C7F97D811E57FEDEB26710B088C99D0819BA32D268460BEB21

Function 009B42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,009B50AA,?,?,00000000,00000000), ref: 009B42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,009B50AA,?,?,00000000,00000000), ref: 009B42C9
LoadResource.KERNEL32(?,00000000,?,?,009B50AA,?,?,00000000,00000000,?,?,?,?,?,?,009B4F20), ref: 009F35BE
SizeofResource.KERNEL32(?,00000000,?,?,009B50AA,?,?,00000000,00000000,?,?,?,?,?,?,009B4F20), ref: 009F35D3
LockResource.KERNEL32(009B50AA,?,?,009B50AA,?,?,00000000,00000000,?,?,?,?,?,?,009B4F20,?), ref: 009F35E6

Strings

SCRIPT, xrefs: 009B42BF

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 9652ebad53d762c73ae0803761ce9633b6591fb1e25627c17fc0c15ad2191c29
Instruction ID: 86590568b5a2f22aeb9c3d1b21a472eb62015cc72dc205e0a411e2c310d30652
Opcode Fuzzy Hash: 9652ebad53d762c73ae0803761ce9633b6591fb1e25627c17fc0c15ad2191c29
Instruction Fuzzy Hash: AD11CE78201700BFE7219FA5DD49FA77BBDEBC6B61F108169F416C6260DBB2DC01A620

Function 009F2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 009B2B6B

Part of subcall function 009B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A81418,?,009B2E7F,?,?,?,00000000), ref: 009B3A78

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00A72224), ref: 009F2C10
ShellExecuteW.SHELL32(00000000,?,?,00A72224), ref: 009F2C17

Strings

runas, xrefs: 009F2C0B

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 35ef1559eea34902006e6910dfd87db611f1bf1b5cb824d769fd6ecee694203b
Instruction ID: a4d956a97bf9d3d2b3017b908e3af3ff37b90ba9d919cc88a6575c37081c11e5
Opcode Fuzzy Hash: 35ef1559eea34902006e6910dfd87db611f1bf1b5cb824d769fd6ecee694203b
Instruction Fuzzy Hash: F011B4316083056AC704FFB0DA51BFE7BA8ABD2330F44982DF186520A2DF21854A8712

Function 00A1D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A1D501
Process32FirstW.KERNEL32(00000000,?), ref: 00A1D50F
Process32NextW.KERNEL32(00000000,?), ref: 00A1D52F
CloseHandle.KERNELBASE(00000000), ref: 00A1D5DC

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: fd2b1cf2186f90f8fa040201afac5ec4d6e9497b3ffee93c5d55c6de328041ef
Instruction ID: 20c39f37ce2b0325c4f2d8feda40ba333c5013f1af668ba4eb2e8347f535adef
Opcode Fuzzy Hash: fd2b1cf2186f90f8fa040201afac5ec4d6e9497b3ffee93c5d55c6de328041ef
Instruction Fuzzy Hash: 37315E711082009FD301EF54C985BAFBBE9AFD93A4F14092DF585861A1EB719985CB92

Function 00A1DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,009F5222), ref: 00A1DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00A1DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00A1DBEE
FindClose.KERNEL32(00000000), ref: 00A1DBFA

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 3aba62eb0649ca0ce2f1051f8ca1b77a88f092b2e7d24968fae7692328324b34
Instruction ID: 7fedc41afe8652c8f03e4c65b86e87eb9db382d1dc126e0b116983c37cf1c7e5
Opcode Fuzzy Hash: 3aba62eb0649ca0ce2f1051f8ca1b77a88f092b2e7d24968fae7692328324b34
Instruction Fuzzy Hash: DBF0A03C81191067C220ABBCAC0D8EA376C9E82335B104B02F93AC20E0FBF15996C6D5

Function 009D4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(009E28E9,?,009D4CBE,009E28E9,00A788B8,0000000C,009D4E15,009E28E9,00000002,00000000,?,009E28E9), ref: 009D4D09
TerminateProcess.KERNEL32(00000000,?,009D4CBE,009E28E9,00A788B8,0000000C,009D4E15,009E28E9,00000002,00000000,?,009E28E9), ref: 009D4D10
ExitProcess.KERNEL32 ref: 009D4D22

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ac6d29958fd4b5887ab9bc479d9fd676d46b604fe1067bdb0ca75b90d9bd70c8
Instruction ID: ac3e53f53cefc8f6f7695f87d6e0ef1bb7f1cc70d9de8727b70a236731b1e29d
Opcode Fuzzy Hash: ac6d29958fd4b5887ab9bc479d9fd676d46b604fe1067bdb0ca75b90d9bd70c8
Instruction Fuzzy Hash: EEE0BF35041148ABCF61AF54DD09A587B6AEB82791B148015FC098B262CB36ED42CA40

Function 00A3AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00A3B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A3B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A3B1D4
_wcslen.LIBCMT ref: 00A3B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A3B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A3B236
_wcslen.LIBCMT ref: 00A3B332

Part of subcall function 00A205A7: GetStdHandle.KERNEL32(000000F6), ref: 00A205C6

_wcslen.LIBCMT ref: 00A3B34B
_wcslen.LIBCMT ref: 00A3B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A3B3B6
GetLastError.KERNEL32(00000000), ref: 00A3B407
CloseHandle.KERNEL32(?), ref: 00A3B439
CloseHandle.KERNEL32(00000000), ref: 00A3B44A
CloseHandle.KERNEL32(00000000), ref: 00A3B45C
CloseHandle.KERNEL32(00000000), ref: 00A3B46E
CloseHandle.KERNEL32(?), ref: 00A3B4E3

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 5d60224799be9d5142416cf60ea7560b0d20d4b4358a82d03a009114ee19f834
Instruction ID: cef005dd58e40bfb9b92cc3c8adad41a5787d592624cf23a689836fb3cad4e9e
Opcode Fuzzy Hash: 5d60224799be9d5142416cf60ea7560b0d20d4b4358a82d03a009114ee19f834
Instruction Fuzzy Hash: 43F19D316143009FC724EF24C991B6EBBE6AFC5720F14855DF9998B2A2DB71EC40CB62

Function 009BD730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009BD807
timeGetTime.WINMM ref: 009BDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009BDB28
TranslateMessage.USER32(?), ref: 009BDB7B
DispatchMessageW.USER32(?), ref: 009BDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009BDB9F
Sleep.KERNELBASE(0000000A), ref: 009BDBB1

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: c69468f782566f6b35870959bd6fb3c7fe90e0d68d1f84794edcbbfae6eab49c
Instruction ID: 5917ecf8466ef9836e00ada8044b25ad898856cd25bb6d10453c8be3bb8d1f1d
Opcode Fuzzy Hash: c69468f782566f6b35870959bd6fb3c7fe90e0d68d1f84794edcbbfae6eab49c
Instruction Fuzzy Hash: 2D420430606345DFD728CF24D998BAABBE4BF86324F14491DF45A872D1E774E845CB82

Function 009B2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 009B2D07
RegisterClassExW.USER32(00000030), ref: 009B2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009B2D42
InitCommonControlsEx.COMCTL32(?), ref: 009B2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009B2D6F
LoadIconW.USER32(000000A9), ref: 009B2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009B2D94

Strings

AutoIt v3 GUI, xrefs: 009B2D23
+, xrefs: 009B2CF0
0, xrefs: 009B2CE9
TaskbarCreated, xrefs: 009B2D37

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 06bbc856381362b8adae81532500fbdd4e77bb376dddfd9f8fefed37a5190d39
Instruction ID: c469bda2f91cdc18f82d47a98ce4ee0508c54b348926c57b1af9bf383c3cd785
Opcode Fuzzy Hash: 06bbc856381362b8adae81532500fbdd4e77bb376dddfd9f8fefed37a5190d39
Instruction Fuzzy Hash: CA21E3B9D02308AFDB40DFE4E849BDDBBB8FB49714F00411AF515A62A0D7B20542CF91

Function 009F065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009F039A: CreateFileW.KERNELBASE(00000000,00000000,?,009F0704,?,?,00000000,?,009F0704,00000000,0000000C), ref: 009F03B7

GetLastError.KERNEL32 ref: 009F076F
__dosmaperr.LIBCMT ref: 009F0776
GetFileType.KERNELBASE(00000000), ref: 009F0782
GetLastError.KERNEL32 ref: 009F078C
__dosmaperr.LIBCMT ref: 009F0795
CloseHandle.KERNEL32(00000000), ref: 009F07B5
CloseHandle.KERNEL32(?), ref: 009F08FF
GetLastError.KERNEL32 ref: 009F0931
__dosmaperr.LIBCMT ref: 009F0938

Strings

H, xrefs: 009F08BD

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 74260b16e1f35182047e66f494b221e97714224d1c11d1909a60667dda157889
Instruction ID: 3f3abae0bfe17ce0312375d50d201e9d3f2fad6b1b48d390aebb3a1feb599966
Opcode Fuzzy Hash: 74260b16e1f35182047e66f494b221e97714224d1c11d1909a60667dda157889
Instruction Fuzzy Hash: BBA12436A001088FDF19EFA8DC52BBE7BA8AB86320F144159F9159F392D7359D13CB91

Function 009B344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A81418,?,009B2E7F,?,?,?,00000000), ref: 009B3A78

Part of subcall function 009B3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009B3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 009B356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 009F318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009F31CE
RegCloseKey.ADVAPI32(?), ref: 009F3210
_wcslen.LIBCMT ref: 009F3277
_wcslen.LIBCMT ref: 009F3286

Strings

\Include\, xrefs: 009B3527
Software\AutoIt v3\AutoIt, xrefs: 009B3560
Include, xrefs: 009F3184, 009F31C5
\, xrefs: 009F328C

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 13dc1afcc2739a221756183a7c02e3c2266ae9bf77cfce7e6d7b337631a0821e
Instruction ID: ed9cc36b122459367a82fd77707b68439dc4477ac027372ca43f3153c82c50db
Opcode Fuzzy Hash: 13dc1afcc2739a221756183a7c02e3c2266ae9bf77cfce7e6d7b337631a0821e
Instruction Fuzzy Hash: 0571C1714053009EC314EFA5EC91ABBBBE8FFD5760F40482EF5458B160EB349A49CB52

Function 009B2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 009B2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 009B2B9D
LoadIconW.USER32(00000063), ref: 009B2BB3
LoadIconW.USER32(000000A4), ref: 009B2BC5
LoadIconW.USER32(000000A2), ref: 009B2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 009B2BEF
RegisterClassExW.USER32(?), ref: 009B2C40

Part of subcall function 009B2CD4: GetSysColorBrush.USER32(0000000F), ref: 009B2D07
Part of subcall function 009B2CD4: RegisterClassExW.USER32(00000030), ref: 009B2D31
Part of subcall function 009B2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009B2D42
Part of subcall function 009B2CD4: InitCommonControlsEx.COMCTL32(?), ref: 009B2D5F
Part of subcall function 009B2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009B2D6F
Part of subcall function 009B2CD4: LoadIconW.USER32(000000A9), ref: 009B2D85
Part of subcall function 009B2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009B2D94

Strings

#, xrefs: 009B2C16
0, xrefs: 009B2C0F
AutoIt v3, xrefs: 009B2C2F

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5798ef975500a2bf9fc3b5e75f14a9fc6af12b0a3b15105bf9a28e8835196c82
Instruction ID: ee6e4832431e3ffc98a5096462baad4b52b86dc64365a3b71ba33710ea91039f
Opcode Fuzzy Hash: 5798ef975500a2bf9fc3b5e75f14a9fc6af12b0a3b15105bf9a28e8835196c82
Instruction Fuzzy Hash: D7211A78E01314ABDB50DFE5EC59A997FB8FB48B54F00401AE504AA6A0D7B10542CF90

Function 009B3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,009B316A,?,?), ref: 009B31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,009B316A,?,?), ref: 009B3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 009B3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,009B316A,?,?), ref: 009B3232
CreatePopupMenu.USER32 ref: 009B3246
PostQuitMessage.USER32(00000000), ref: 009B3267

Strings

TaskbarCreated, xrefs: 009B322D

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 6efa82351105642517344aa396df616c215a4b85df20e02620a5471cbcea1b97
Instruction ID: 75491781be2a4997f12e9459f1136d8dabbac592f50bb27763ff0437a58cc0fa
Opcode Fuzzy Hash: 6efa82351105642517344aa396df616c215a4b85df20e02620a5471cbcea1b97
Instruction Fuzzy Hash: DF413939244208A7DF14EBBCDF0EBF93A1DEB45370F048525F5168A2A1DB758A439761

Function 009B1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 009B1459
CoUninitialize.COMBASE ref: 009B14F8
UnregisterHotKey.USER32(?), ref: 009B16DD
DestroyWindow.USER32(?), ref: 009F24B9
FreeLibrary.KERNEL32(?), ref: 009F251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 009F254B

Strings

close all, xrefs: 009B1454

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: b497a025a46ba6c487b9dfe30494136e6ef75af9f11794c500d10cde372ca59a
Instruction ID: b7f728ef1415fe577297bad76da66145fd784ce77339a6c579babd531da6c888
Opcode Fuzzy Hash: b497a025a46ba6c487b9dfe30494136e6ef75af9f11794c500d10cde372ca59a
Instruction Fuzzy Hash: F3D1A131702212CFCB19EF14C5A9B69F7A5BF45720F6441ADE54AAB262CB30EC12CF51

Function 009B2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009B2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 009B2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,009B1CAD,?), ref: 009B2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,009B1CAD,?), ref: 009B2CCF

Strings

edit, xrefs: 009B2CAC
AutoIt v3, xrefs: 009B2C89, 009B2C8E, 009B2C8F

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 4b62c17631433bcfc8d065e2b69976d5c90c090901cd3822c7e4cd32c591c23b
Instruction ID: 3fbb9840442ea2e2b5b17ebf602620089a7614879eb3b86077c01eaebafa3ddf
Opcode Fuzzy Hash: 4b62c17631433bcfc8d065e2b69976d5c90c090901cd3822c7e4cd32c591c23b
Instruction Fuzzy Hash: B8F0DA7D5413907AEBB19797AC0CEB72EBDD7C7F60B00005AF904AA5A0D6761853DBB0

Function 009B3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,009B3B0F,SwapMouseButtons,00000004,?), ref: 009B3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,009B3B0F,SwapMouseButtons,00000004,?), ref: 009B3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,009B3B0F,SwapMouseButtons,00000004,?), ref: 009B3B83

Strings

Control Panel\Mouse, xrefs: 009B3B3E

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: e76cbce1b5ff98fd190982ff943fe3c4c3181570553e50f2d3e9124b6b37b08c
Instruction ID: 41a5ad5ba2d2baa37e8a4ca320950cb98706836a9859a9c64e4852b280854e78
Opcode Fuzzy Hash: e76cbce1b5ff98fd190982ff943fe3c4c3181570553e50f2d3e9124b6b37b08c
Instruction Fuzzy Hash: B7115AB5511218FFDB20CFA4DD48AFEB7BCEF41760B108959A805D7114E6319E409B60

Function 009B3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009F33A2

Part of subcall function 009B6B57: _wcslen.LIBCMT ref: 009B6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 009B3A04

Strings

Line: , xrefs: 009F33EB

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 3743daa4918ee85e7a220c263f1be18dd16d85a33f613e5c3d9af5f959561892
Instruction ID: 22631910ecdddd7b9d78a183147680f29a8368cb177c79a9282f6ab18bc3d6e4
Opcode Fuzzy Hash: 3743daa4918ee85e7a220c263f1be18dd16d85a33f613e5c3d9af5f959561892
Instruction Fuzzy Hash: A231E671448304ABD725EB60DD45BEBB7DCEF80720F50892AF59983191EF749A4AC7C2

Function 009CFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 009D0668

Part of subcall function 009D32A4: RaiseException.KERNEL32(?,?,?,009D068A,?,00A81444,?,?,?,?,?,?,009D068A,009B1129,00A78738,009B1129), ref: 009D3304

__CxxThrowException@8.LIBVCRUNTIME ref: 009D0685

Strings

Unknown exception, xrefs: 009D0692

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: e493ff81c967633f62e986c394c204bd7f1b7802bb4aea5f107026f77afc84e9
Instruction ID: 38299dd655dabf0f62336040e56fe1e6f2c89707bcd2dd1ef0daf83cb2ef9030
Opcode Fuzzy Hash: e493ff81c967633f62e986c394c204bd7f1b7802bb4aea5f107026f77afc84e9
Instruction Fuzzy Hash: 8FF02234C8020D77CB00BA64EC4AF9E776C6EC0340FA0C536B928A66D1EF30DA25C581

Function 009B10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 009B1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 009B1BF4
Part of subcall function 009B1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 009B1BFC
Part of subcall function 009B1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009B1C07
Part of subcall function 009B1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 009B1C12
Part of subcall function 009B1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 009B1C1A
Part of subcall function 009B1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 009B1C22

Part of subcall function 009B1B4A: RegisterWindowMessageW.USER32(00000004,?,009B12C4), ref: 009B1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 009B136A
OleInitialize.OLE32 ref: 009B1388
CloseHandle.KERNEL32(00000000,00000000), ref: 009F24AB

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 3aa49fa9bc999b88618869963cb9827745c938f14c7977c6b246e95a932710d8
Instruction ID: 0244df1a61cdfc84b2e9e4aa1d827027eee7101bba9f1e4831b4e33f2d0a2727
Opcode Fuzzy Hash: 3aa49fa9bc999b88618869963cb9827745c938f14c7977c6b246e95a932710d8
Instruction Fuzzy Hash: 34717AB89112009FC388EFF9EA56A953AECFB89364754862ED44AD7262FB304443CF55

Function 00A1C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 009B3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A1C259
KillTimer.USER32(?,00000001,?,?), ref: 00A1C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A1C270

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 8baebbd3eb8e36790b4acb6dc897c1296411a4a3dd32c9bca658d6d8b1225dd1
Instruction ID: 134c2d5b1a4d667d7d014b7cb22a2ba73e1ed2221bd08db79da2c7a3dc9c3c5b
Opcode Fuzzy Hash: 8baebbd3eb8e36790b4acb6dc897c1296411a4a3dd32c9bca658d6d8b1225dd1
Instruction Fuzzy Hash: F731E174940344AFEB72DFA48885BEBBBFCAB06318F00009AD2DEA7241C3745AC5CB51

Function 009E86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,009E85CC,?,00A78CC8,0000000C), ref: 009E8704
GetLastError.KERNEL32(?,009E85CC,?,00A78CC8,0000000C), ref: 009E870E
__dosmaperr.LIBCMT ref: 009E8739

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 07301ce6ad57f89eb716f4ed5560400ab86be947e474d610f2000d248318821b
Instruction ID: a9700796232daf84b7021b4042f644eb70a7eb7c7a221490464fc2434af15306
Opcode Fuzzy Hash: 07301ce6ad57f89eb716f4ed5560400ab86be947e474d610f2000d248318821b
Instruction Fuzzy Hash: BF016B326052E056C263A2F66849B7F674D4BC2B78F3A0119F81C9F1D2DEA28C818250

Function 009BDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 009BDB7B
DispatchMessageW.USER32(?), ref: 009BDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009BDB9F
Sleep.KERNELBASE(0000000A), ref: 009BDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00A01CC9

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 6820827022bf877550c6064eb8c39d1f4e305dfdf4fad3ec1ef51aacbaef6dbe
Instruction ID: d31ba5ec82a9ec1c70e89ed2bef53e42916d6a09eaf3d659847ed9415ccc6022
Opcode Fuzzy Hash: 6820827022bf877550c6064eb8c39d1f4e305dfdf4fad3ec1ef51aacbaef6dbe
Instruction Fuzzy Hash: 2BF082346463449BEB70CBA0DC89FEA77ACEB85320F104A18F60EC30C0EB309449CB26

Function 009C1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 009C17F6

Strings

CALL, xrefs: 009C17C6

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 148cacb94d9f982f7c310c1f1bacfc6c2ececb9a320e76152aa8d420508f6b81
Instruction ID: f5200dd851dfadd45ec963a1f5b292eec5d47b57c58e7b6a3be44445c59bb7ab
Opcode Fuzzy Hash: 148cacb94d9f982f7c310c1f1bacfc6c2ececb9a320e76152aa8d420508f6b81
Instruction Fuzzy Hash: 75228B70A082419FC714DF14D490F2ABBF5BF8A314F24896DF49A8B3A2D735E851CB96

Function 009B2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 009F2C8C

Part of subcall function 009B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009B3A97,?,?,009B2E7F,?,?,?,00000000), ref: 009B3AC2

Part of subcall function 009B2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009B2DC4

Strings

X, xrefs: 009F2C5A

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: f7bc4acaaf2976979520dce7e7066e6028087995603e9445b244a74ae89c8cfd
Instruction ID: 387e3a1b365e22b2b34ce44ae21e24903c249770a0bf2728218a8c64c5e49751
Opcode Fuzzy Hash: f7bc4acaaf2976979520dce7e7066e6028087995603e9445b244a74ae89c8cfd
Instruction Fuzzy Hash: 95219371A1025C9BCB41DF94C945BEE7BFCAF89714F008059E509A7241DBB89A498FA1

Function 009B3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 009B3908

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 07adebdee34244bf47d1cdca1d9d7ca94f321fcd0edd3cce105321b675265246
Instruction ID: 6ca5241e40356563aad344aa4151ad22543896ab75083d35ec8c6a2e266b1e12
Opcode Fuzzy Hash: 07adebdee34244bf47d1cdca1d9d7ca94f321fcd0edd3cce105321b675265246
Instruction Fuzzy Hash: B831A270504701DFD761DF64D984BD7BBE8FB49718F00092EF69987240E7B1AA45CB52

Function 009CF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 009CF661

Part of subcall function 009BD730: GetInputState.USER32 ref: 009BD807

Sleep.KERNEL32(00000000), ref: 00A0F2DE

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 6a5a6a771dfd20340b5d0987c019b9f3e0569435d6e45daf6902d02bbb9b32df
Instruction ID: af338f0f21ae74ff8b82209ec5dcda5c23c81c90fca4b56634cac6cfd5279b10
Opcode Fuzzy Hash: 6a5a6a771dfd20340b5d0987c019b9f3e0569435d6e45daf6902d02bbb9b32df
Instruction Fuzzy Hash: 70F08C352402059FD360EF69D549BAAB7E8EF8A770F000029F85EC72A0DBB0A800CB91

Function 009BB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 009BBB4E

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: eb807618219275f826055486453cbcc6c6070becb6647417d61986e6323fa340
Instruction ID: 24df48b77d3ad0ebb7a8566ec7cf4058a5419ee3e4283ad2eb1da3fa5a069c86
Opcode Fuzzy Hash: eb807618219275f826055486453cbcc6c6070becb6647417d61986e6323fa340
Instruction Fuzzy Hash: E7328C75A002099FDB24CF54CA94FFEB7B9EF44324F148059E905AB2A1C7B8ED41CB91

Function 009B4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,009B4EDD,?,00A81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009B4E9C
Part of subcall function 009B4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 009B4EAE
Part of subcall function 009B4E90: FreeLibrary.KERNEL32(00000000,?,?,009B4EDD,?,00A81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009B4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00A81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009B4EFD

Part of subcall function 009B4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,009F3CDE,?,00A81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009B4E62
Part of subcall function 009B4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 009B4E74
Part of subcall function 009B4E59: FreeLibrary.KERNEL32(00000000,?,?,009F3CDE,?,00A81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009B4E87

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: b6ff0b3a5b415e210b0924d4013e1ad1d7c1c0589a331ced66d691f9cb52840c
Instruction ID: e45d31c3c4e4fb2848d25efc3f6859a363f6a9f56aed956726fcf4b891d85f32
Opcode Fuzzy Hash: b6ff0b3a5b415e210b0924d4013e1ad1d7c1c0589a331ced66d691f9cb52840c
Instruction Fuzzy Hash: FD11E732600205AACF14FB64DE02FFD77A5AF80720F10842DF546A71C2DE74DA45AB50

Function 009E8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 009E8440

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 23fea00b41b488f7a9a6e4fee3c8f31db17d452e4eec351969b6be800980f266
Instruction ID: 5d963adc4e19f11fbfecd521607bcda766ec4ada8a97a3727437afa636fe4aad
Opcode Fuzzy Hash: 23fea00b41b488f7a9a6e4fee3c8f31db17d452e4eec351969b6be800980f266
Instruction Fuzzy Hash: B211187590410AAFCB06DF99E941A9B7BF9EF48314F104059F808AB352EA31DE21CBA5

Function 009E5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009E4C7D: RtlAllocateHeap.NTDLL(00000008,009B1129,00000000,?,009E2E29,00000001,00000364,?,?,?,009DF2DE,009E3863,00A81444,?,009CFDF5,?), ref: 009E4CBE

_free.LIBCMT ref: 009E506C

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: b4bc314f05911839b1e9eefecadcc3db69fbff804c84e533a7563a3887f2137b
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: DB012B722047446BE3228F66D845A5AFBECFB89370F26051DF184932C0E670AC05C674

Function 009DE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: e38810cb2e89ac43286b833b0ae4fe738bfc58d6f722f4a5ebbd535bcfbaef49
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 8CF02832551A1496C7323A7A8C09B9B339C9FE2375F108B1BF4259B3D2DB74EC0286A5

Function 009E4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,009B1129,00000000,?,009E2E29,00000001,00000364,?,?,?,009DF2DE,009E3863,00A81444,?,009CFDF5,?), ref: 009E4CBE

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5973574a18731803b3e5abd70caa7fc129d0773531cad56e9ab4b047e7eb6291
Instruction ID: f616ac9e858019c682096cd4f06f5eeccb0c52ce307dda9787bbc2c34dfa5539
Opcode Fuzzy Hash: 5973574a18731803b3e5abd70caa7fc129d0773531cad56e9ab4b047e7eb6291
Instruction Fuzzy Hash: 2AF0E9316432A467DB235F679C05BDA378CBF817B0B348512B89AAB690CA30DC0186E0

Function 009E3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00A81444,?,009CFDF5,?,?,009BA976,00000010,00A81440,009B13FC,?,009B13C6,?,009B1129), ref: 009E3852

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4d33bdb16ad5eb8fbdc3e2a4051f72c162f95c598bb87b4c4f4a1e725fd89af8
Instruction ID: 3611aee667ff4e051820976e0b8473e9b24d2ac036484250001afa01c49a1cf3
Opcode Fuzzy Hash: 4d33bdb16ad5eb8fbdc3e2a4051f72c162f95c598bb87b4c4f4a1e725fd89af8
Instruction Fuzzy Hash: ECE0E5311412A467D63326A7DC09B9A375CABC27B0F05C222BC15A7991CB21DD0282E0

Function 009B4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00A81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009B4F6D

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 6452e87887930f443b06780d6e13a36311552643d6e2637b9d04e0ac1084eeee
Instruction ID: 8753c9573cc49c28234f6427d0ed557645550b9d3d1fa7eb769af86133a49179
Opcode Fuzzy Hash: 6452e87887930f443b06780d6e13a36311552643d6e2637b9d04e0ac1084eeee
Instruction Fuzzy Hash: 35F01575505752CFDB349F64D5908A2BBE8AF143293208A6EE1EA87622C7369844EF50

Function 00A42A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A42A66

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 1c204b77851dafb5d4f09e6cacec481c6d4737ebbed2cbe81b82b71ddedf8373
Instruction ID: 5a7f28ca566410419a853bff2871027dcfabb807b418fc72356cd9b7af06b0bf
Opcode Fuzzy Hash: 1c204b77851dafb5d4f09e6cacec481c6d4737ebbed2cbe81b82b71ddedf8373
Instruction Fuzzy Hash: E8E04F3A350126AAC754EB34EC849FAB35CEF953D57504536BC1AC3100DB309A9687A0

Function 009B30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 009B314E

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: f423eb24aa1942ddf39edc046033fec873ccf622756ef846716ab6c8362e126f
Instruction ID: 1f2cfa4fc68438b59562395f8ec5544980fba40646c7b96c25c1bc5a19b8d394
Opcode Fuzzy Hash: f423eb24aa1942ddf39edc046033fec873ccf622756ef846716ab6c8362e126f
Instruction Fuzzy Hash: EFF037749143149FEB92DB64DC4A7D57BBCE701708F0000E5A54897291D774578ACF51

Function 009B2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009B2DC4

Part of subcall function 009B6B57: _wcslen.LIBCMT ref: 009B6B6A

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 980d341a43f3089546c6f6aaada443afcc262f294126244745ea5af8fa187657
Instruction ID: 8a7a8dad3846f0e344e7819256c730a5c584cf77e6a4cfe0073288fd4dd77958
Opcode Fuzzy Hash: 980d341a43f3089546c6f6aaada443afcc262f294126244745ea5af8fa187657
Instruction Fuzzy Hash: 00E0CD766051245BC710E2989C05FEA77EDDFC87A0F040071FD09D7248DAA4AD808690

Function 009B2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 009B3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 009B3908

Part of subcall function 009BD730: GetInputState.USER32 ref: 009BD807

SetCurrentDirectoryW.KERNEL32(?), ref: 009B2B6B

Part of subcall function 009B30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 009B314E

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 67af288785057c568b410d8267d46cac92e0ea58217547dcd7cf738961658c82
Instruction ID: 57a7a62d0b302452d4ef2248afe46bf42dcc291a4bb7e63a379575f011181496
Opcode Fuzzy Hash: 67af288785057c568b410d8267d46cac92e0ea58217547dcd7cf738961658c82
Instruction Fuzzy Hash: C3E08C6670424406CA08FBB4AAA2AEDA75D9BD2371F40553EF146871A3DE258A4A8352

Function 009F039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,009F0704,?,?,00000000,?,009F0704,00000000,0000000C), ref: 009F03B7

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f557cd8b796cd955a5f5c83723d02ff8f5a3633208892679645ef38881016af6
Instruction ID: c38157470e0562c739005f6d36243c99ca161b16c36d6a31bd38267cc0f53d9b
Opcode Fuzzy Hash: f557cd8b796cd955a5f5c83723d02ff8f5a3633208892679645ef38881016af6
Instruction Fuzzy Hash: F1D06C3604010DBBDF028F84DD06EDA3BAAFB88714F014100BE1856020C732E822AB90

Function 009B1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 009B1CBC

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 3869789dd3c17e912cecf7f54e5174a37fcde7aed49001c788a88719d245998a
Instruction ID: 5b5361b6033c140f0c699e042423bc7a493d5ce117d07eefb52254657208b667
Opcode Fuzzy Hash: 3869789dd3c17e912cecf7f54e5174a37fcde7aed49001c788a88719d245998a
Instruction Fuzzy Hash: FDC0483A2C0204AAE258CBC0BC4AF647768A388B14F048001F609A95E382A22822AB51

Non-executed Functions

Function 00A49576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 009C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009C9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A4961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A4965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00A4969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A496C9
SendMessageW.USER32 ref: 00A496F2
GetKeyState.USER32(00000011), ref: 00A4978B
GetKeyState.USER32(00000009), ref: 00A49798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A497AE
GetKeyState.USER32(00000010), ref: 00A497B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A497E9
SendMessageW.USER32 ref: 00A49810
SendMessageW.USER32(?,00001030,?,00A47E95), ref: 00A49918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A4992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A49941
SetCapture.USER32(?), ref: 00A4994A
ClientToScreen.USER32(?,?), ref: 00A499AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A499BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A499D6
ReleaseCapture.USER32 ref: 00A499E1
GetCursorPos.USER32(?), ref: 00A49A19
ScreenToClient.USER32(?,?), ref: 00A49A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A49A80
SendMessageW.USER32 ref: 00A49AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A49AEB
SendMessageW.USER32 ref: 00A49B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A49B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A49B4A
GetCursorPos.USER32(?), ref: 00A49B68
ScreenToClient.USER32(?,?), ref: 00A49B75
GetParent.USER32(?), ref: 00A49B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A49BFA
SendMessageW.USER32 ref: 00A49C2B
ClientToScreen.USER32(?,?), ref: 00A49C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A49CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A49CDE
SendMessageW.USER32 ref: 00A49D01
ClientToScreen.USER32(?,?), ref: 00A49D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A49D82

Part of subcall function 009C9944: GetWindowLongW.USER32(?,000000EB), ref: 009C9952

GetWindowLongW.USER32(?,000000F0), ref: 00A49E05

Strings

F, xrefs: 00A49D07
@GUI_DRAGID, xrefs: 00A4997D

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 28013d0a987e46b3f11d18618e997296a5a72654db0417a25550415e97401fec
Instruction ID: 5bd465cb0b4c724738591b99f0edd4b3f837eda5f9c037ffd131b7272e3214a8
Opcode Fuzzy Hash: 28013d0a987e46b3f11d18618e997296a5a72654db0417a25550415e97401fec
Instruction Fuzzy Hash: 2E427C38605201AFD724CF64CC85EABBBE9FFC9320F154619F699872A1D731A861CF52

Function 00A44873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00A448F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00A44908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00A44927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00A4494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00A4495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00A4497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00A449AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00A449D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00A44A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A44A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A44A7E
IsMenu.USER32(?), ref: 00A44A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A44AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A44B20
GetWindowLongW.USER32(?,000000F0), ref: 00A44B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00A44BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00A44C82
wsprintfW.USER32 ref: 00A44CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A44CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00A44CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A44D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A44D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00A44D5A

Strings

%d/%02d/%02d, xrefs: 00A44CA8

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: d51178924be51bd07f855e62581bce2e22f0d09cc9417c1353682f1600e20767
Instruction ID: 1bd4755a5f88bc41bb9cf920492f92515a1a25083c20f01060089e8c6dc38854
Opcode Fuzzy Hash: d51178924be51bd07f855e62581bce2e22f0d09cc9417c1353682f1600e20767
Instruction Fuzzy Hash: B6120479A00214ABEB248F64CC49FAE7BF8EFC9710F104129F919DB2E1DB799941CB50

Function 009CF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 009CF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A0F474
IsIconic.USER32(00000000), ref: 00A0F47D
ShowWindow.USER32(00000000,00000009), ref: 00A0F48A
SetForegroundWindow.USER32(00000000), ref: 00A0F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A0F4AA
GetCurrentThreadId.KERNEL32 ref: 00A0F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A0F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A0F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A0F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00A0F4DE
SetForegroundWindow.USER32(00000000), ref: 00A0F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A0F4F6
keybd_event.USER32(00000012,00000000), ref: 00A0F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A0F50B
keybd_event.USER32(00000012,00000000), ref: 00A0F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A0F519
keybd_event.USER32(00000012,00000000), ref: 00A0F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A0F528
keybd_event.USER32(00000012,00000000), ref: 00A0F52D
SetForegroundWindow.USER32(00000000), ref: 00A0F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00A0F557

Strings

Shell_TrayWnd, xrefs: 00A0F46F

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: da24aad0c43e8b4cb6d1e8e183cfe153375c296768b9b6a75fc63f81832bfdb6
Instruction ID: 12d7d9480800e273e2f7bf0222017279d57bb11ef8715cfe1ec5f9a20a7ce52b
Opcode Fuzzy Hash: da24aad0c43e8b4cb6d1e8e183cfe153375c296768b9b6a75fc63f81832bfdb6
Instruction Fuzzy Hash: 08316279A812187FEB606BF55C4AFBF7E6CEB85B60F100025FA04F61D1C6B16901AA61

Function 00A11201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00A116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A1170D
Part of subcall function 00A116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A1173A
Part of subcall function 00A116C3: GetLastError.KERNEL32 ref: 00A1174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00A11286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00A112A8
CloseHandle.KERNEL32(?), ref: 00A112B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A112D1
GetProcessWindowStation.USER32 ref: 00A112EA
SetProcessWindowStation.USER32(00000000), ref: 00A112F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00A11310

Part of subcall function 00A110BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A111FC), ref: 00A110D4
Part of subcall function 00A110BF: CloseHandle.KERNEL32(?,?,00A111FC), ref: 00A110E9

Strings

winsta0, xrefs: 00A112CC
default, xrefs: 00A1130B
, xrefs: 00A1125A

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: d4bbe99fdd96cad730c2d7c71dca4e9243e1da8851280327e5e7275956c185b3
Instruction ID: 4a5159d7afd388351777d73cf81d51cc40cf8a420aa290620098b0009bf88509
Opcode Fuzzy Hash: d4bbe99fdd96cad730c2d7c71dca4e9243e1da8851280327e5e7275956c185b3
Instruction Fuzzy Hash: 7281D0B5A00208AFDF20DFA4DC49FEE7BB9EF45B14F148129FA15E61A0D7718985CB21

Function 00A10B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A11114
Part of subcall function 00A110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00A10B9B,?,?,?), ref: 00A11120
Part of subcall function 00A110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A10B9B,?,?,?), ref: 00A1112F
Part of subcall function 00A110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A10B9B,?,?,?), ref: 00A11136
Part of subcall function 00A110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A1114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A10BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A10C00
GetLengthSid.ADVAPI32(?), ref: 00A10C17
GetAce.ADVAPI32(?,00000000,?), ref: 00A10C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A10C6D
GetLengthSid.ADVAPI32(?), ref: 00A10C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00A10C8C
HeapAlloc.KERNEL32(00000000), ref: 00A10C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A10CB4
CopySid.ADVAPI32(00000000), ref: 00A10CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A10CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A10D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A10D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A10D45
HeapFree.KERNEL32(00000000), ref: 00A10D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A10D55
HeapFree.KERNEL32(00000000), ref: 00A10D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A10D65
HeapFree.KERNEL32(00000000), ref: 00A10D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00A10D78
HeapFree.KERNEL32(00000000), ref: 00A10D7F

Part of subcall function 00A11193: GetProcessHeap.KERNEL32(00000008,00A10BB1,?,00000000,?,00A10BB1,?), ref: 00A111A1
Part of subcall function 00A11193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00A10BB1,?), ref: 00A111A8
Part of subcall function 00A11193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00A10BB1,?), ref: 00A111B7

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 31251bcf23d28a1e233174f12e90829951f4cc698f2fd88ffa2804022d83a6f5
Instruction ID: 86ebb689135f663cdeba2b489396c297538cf8d583701fcf21e261787c118705
Opcode Fuzzy Hash: 31251bcf23d28a1e233174f12e90829951f4cc698f2fd88ffa2804022d83a6f5
Instruction Fuzzy Hash: 2D718E7990121AABDF10DFE4DC44FEEBBB8BF45310F044215E918A7191D7B1A985CBA0

Function 00A2EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00A4CC08), ref: 00A2EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00A2EB37
GetClipboardData.USER32(0000000D), ref: 00A2EB43
CloseClipboard.USER32 ref: 00A2EB4F
GlobalLock.KERNEL32(00000000), ref: 00A2EB87
CloseClipboard.USER32 ref: 00A2EB91
GlobalUnlock.KERNEL32(00000000), ref: 00A2EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00A2EBC9
GetClipboardData.USER32(00000001), ref: 00A2EBD1
GlobalLock.KERNEL32(00000000), ref: 00A2EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00A2EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00A2EC38
GetClipboardData.USER32(0000000F), ref: 00A2EC44
GlobalLock.KERNEL32(00000000), ref: 00A2EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00A2EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00A2EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00A2ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00A2ECF3
CountClipboardFormats.USER32 ref: 00A2ED14
CloseClipboard.USER32 ref: 00A2ED59

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: fa4f4c2631dc07b8510ba677984ba0320b4e4edf799ee32c6442765775a0161e
Instruction ID: 4fcb8b457b0ca7c2c519acebc8a2867f5e3db4d571d3fd9879521b99f8b0ec88
Opcode Fuzzy Hash: fa4f4c2631dc07b8510ba677984ba0320b4e4edf799ee32c6442765775a0161e
Instruction Fuzzy Hash: 5E61D3382042019FD340EF68E988F6AB7E4AFC5724F14852DF45A872A1CB71DD86CB62

Function 00A2698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A269BE
FindClose.KERNEL32(00000000), ref: 00A26A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A26A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A26A75

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00A26AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00A26ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00A26B32
%4d, xrefs: 00A26BB1
%03d, xrefs: 00A26DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00A26B6A
%02d, xrefs: 00A26C00, 00A26C0A, 00A26C5A, 00A26CAA, 00A26CFA, 00A26D4A

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 86417e3a7844bcd79f90283aca5ee3452e7189f93823c6c12aec7cf6ac11060f
Instruction ID: b268a5504ba186563d693f7dc17d6f9f5a634e1a7691813a44d1ade492df9de3
Opcode Fuzzy Hash: 86417e3a7844bcd79f90283aca5ee3452e7189f93823c6c12aec7cf6ac11060f
Instruction Fuzzy Hash: 0ED15EB2508300AFC710EBA4D991FABB7ECAFC8714F04492DF589C6191EB74DA04CB62

Function 00A29642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00A29663
GetFileAttributesW.KERNEL32(?), ref: 00A296A1
SetFileAttributesW.KERNEL32(?,?), ref: 00A296BB
FindNextFileW.KERNEL32(00000000,?), ref: 00A296D3
FindClose.KERNEL32(00000000), ref: 00A296DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00A296FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00A2974A
SetCurrentDirectoryW.KERNEL32(00A76B7C), ref: 00A29768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A29772
FindClose.KERNEL32(00000000), ref: 00A2977F
FindClose.KERNEL32(00000000), ref: 00A2978F

Strings

*.*, xrefs: 00A296F5

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 3522bfb4c07c38a08191904f3f52cee6bfc332f0f8694cf289a88ae50e6a83ea
Instruction ID: 0bc4b62468a98115aabb324db70160adcde506988e561f0a5d6f28b51c21d7a0
Opcode Fuzzy Hash: 3522bfb4c07c38a08191904f3f52cee6bfc332f0f8694cf289a88ae50e6a83ea
Instruction Fuzzy Hash: F731E5365416297BDB10EFF8EC48ADF77ACAF8A730F108066F918E2190EB71D9458A14

Function 00A2979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00A297BE
FindNextFileW.KERNEL32(00000000,?), ref: 00A29819
FindClose.KERNEL32(00000000), ref: 00A29824
FindFirstFileW.KERNEL32(*.*,?), ref: 00A29840
SetCurrentDirectoryW.KERNEL32(?), ref: 00A29890
SetCurrentDirectoryW.KERNEL32(00A76B7C), ref: 00A298AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A298B8
FindClose.KERNEL32(00000000), ref: 00A298C5
FindClose.KERNEL32(00000000), ref: 00A298D5

Part of subcall function 00A1DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00A1DB00

Strings

*.*, xrefs: 00A2983B

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: ca67402327b2d1c0eba3c41e89f11df1573eaa90f865c4d1bec41766d6e80ae3
Instruction ID: 9e0680d33b601ea7cd0c20b81c8d53f51874d9d0c2b035f26cd504e982617ddf
Opcode Fuzzy Hash: ca67402327b2d1c0eba3c41e89f11df1573eaa90f865c4d1bec41766d6e80ae3
Instruction Fuzzy Hash: EC3105365416297ADB10EFF8EC48ADF73BCAF86730F148066E918E2190DB71D9458B20

Function 00A3BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A3B6AE,?,?), ref: 00A3C9B5
Part of subcall function 00A3C998: _wcslen.LIBCMT ref: 00A3C9F1
Part of subcall function 00A3C998: _wcslen.LIBCMT ref: 00A3CA68
Part of subcall function 00A3C998: _wcslen.LIBCMT ref: 00A3CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A3BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00A3BFA9
RegCloseKey.ADVAPI32(00000000), ref: 00A3BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A3C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00A3C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A3C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A3C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00A3C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A3C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A3C382
RegCloseKey.ADVAPI32(00000000), ref: 00A3C38F

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: f90685d091acedbf3344dd6937a11052d49013c579e369ddf933bbe5690307cb
Instruction ID: 8401460fe186eda60b7a2699bd866cbf4aa40498568ff67c9d5047a931582e07
Opcode Fuzzy Hash: f90685d091acedbf3344dd6937a11052d49013c579e369ddf933bbe5690307cb
Instruction Fuzzy Hash: FC024D71604200AFD714DF28C995F2ABBE5EF89324F18849DF84ADB2A2DB31ED45CB51

Function 00A28195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A28257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A28267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A28273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A28310
SetCurrentDirectoryW.KERNEL32(?), ref: 00A28324
SetCurrentDirectoryW.KERNEL32(?), ref: 00A28356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A2838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00A28395

Strings

*.*, xrefs: 00A2839B

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: c7b4528a91c89896940fd7bce4a5d3f63fdff858f1f26024c26150d867742347
Instruction ID: 16a1a8ad444ae11366fba86d1edf137eab9b38da906bf57ec293312bf3a77b5b
Opcode Fuzzy Hash: c7b4528a91c89896940fd7bce4a5d3f63fdff858f1f26024c26150d867742347
Instruction Fuzzy Hash: DD618BB65043159FC710EF64D840AAEB3E8FFC9320F04892EF99987251EB75E945CB92

Function 00A1D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009B3A97,?,?,009B2E7F,?,?,?,00000000), ref: 009B3AC2

Part of subcall function 00A1E199: GetFileAttributesW.KERNEL32(?,00A1CF95), ref: 00A1E19A

FindFirstFileW.KERNEL32(?,?), ref: 00A1D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00A1D1DD
MoveFileW.KERNEL32(?,?), ref: 00A1D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A1D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A1D237

Part of subcall function 00A1D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00A1D21C,?,?), ref: 00A1D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00A1D253
FindClose.KERNEL32(00000000), ref: 00A1D264

Strings

\*.*, xrefs: 00A1D0CD, 00A1D0D6, 00A1D0EB

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: e6e2c53dbdf5144aea93f5aa72da527d89f46cfb817b5e46630a9087036db338
Instruction ID: c249de46633ad5140c680ab721f659dc9a164a9558303722a5cec631c0f90cf0
Opcode Fuzzy Hash: e6e2c53dbdf5144aea93f5aa72da527d89f46cfb817b5e46630a9087036db338
Instruction Fuzzy Hash: 66618D31C0110DAFCF05EBE0CA92AEDB7B5AF95310F248169E41677191EB31AF49DB60

Function 00A2ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00A2ED91
EmptyClipboard.USER32 ref: 00A2ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00A2EDAC
CloseClipboard.USER32 ref: 00A2EEA3

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f0b4ee87bfb59f77ab56be08642a5031c2ffcde77f7e8e78586570979522543d
Instruction ID: 663c7fa926989a107ad66f8042563b86bd5b487ac62cbee1d5d0b5e2d6f52d11
Opcode Fuzzy Hash: f0b4ee87bfb59f77ab56be08642a5031c2ffcde77f7e8e78586570979522543d
Instruction Fuzzy Hash: 7F41D239205621AFD310DF59E848F59BBE5FF85328F15C0A9E4198B762C772EC82CB90

Function 00A1E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00A116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A1170D
Part of subcall function 00A116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A1173A
Part of subcall function 00A116C3: GetLastError.KERNEL32 ref: 00A1174A

ExitWindowsEx.USER32(?,00000000), ref: 00A1E932

Strings

, xrefs: 00A1E95C
SeShutdownPrivilege, xrefs: 00A1E902
, xrefs: 00A1E920
@, xrefs: 00A1E925

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: be4624c4c9f498de044c680f608b6405b787fd8cb4094ad30983941af761a057
Instruction ID: 913a222a8aadab8a576405cabbd62d38ce2ee4a88bfee626bb2659ee7d8895c2
Opcode Fuzzy Hash: be4624c4c9f498de044c680f608b6405b787fd8cb4094ad30983941af761a057
Instruction Fuzzy Hash: 1C014936A10311ABEB54A3B49C86FFFB26CAB08750F144822FD13E21D1D5A65CC081A4

Function 00A31204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00A31276
WSAGetLastError.WSOCK32 ref: 00A31283
bind.WSOCK32(00000000,?,00000010), ref: 00A312BA
WSAGetLastError.WSOCK32 ref: 00A312C5
closesocket.WSOCK32(00000000), ref: 00A312F4
listen.WSOCK32(00000000,00000005), ref: 00A31303
WSAGetLastError.WSOCK32 ref: 00A3130D
closesocket.WSOCK32(00000000), ref: 00A3133C

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: bd22030b1ea1fa9cb4be8694abab714ef41b78e05112f8e9449532149c1d53f7
Instruction ID: 7f4d5b5f6f95152c3ddf9eed60b7a3ff00a7023f9092e6a2b19638735d94cbea
Opcode Fuzzy Hash: bd22030b1ea1fa9cb4be8694abab714ef41b78e05112f8e9449532149c1d53f7
Instruction Fuzzy Hash: 954182356001009FD710DFA4C589B6ABBF5BF86328F188198E8569F2D6C771ED82CBE1

Function 00A1D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009B3A97,?,?,009B2E7F,?,?,?,00000000), ref: 009B3AC2

Part of subcall function 00A1E199: GetFileAttributesW.KERNEL32(?,00A1CF95), ref: 00A1E19A

FindFirstFileW.KERNEL32(?,?), ref: 00A1D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A1D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A1D481
FindClose.KERNEL32(00000000), ref: 00A1D498
FindClose.KERNEL32(00000000), ref: 00A1D4A1

Strings

\*.*, xrefs: 00A1D3F2

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: fa9ab37a069729be0cd30c16e6a2aeb9d16dd1e2ef19047dff25905ffc146a12
Instruction ID: 7df2e802ae3d76099833e776ea97560bec4b5792f34c0b60273d944ede506638
Opcode Fuzzy Hash: fa9ab37a069729be0cd30c16e6a2aeb9d16dd1e2ef19047dff25905ffc146a12
Instruction Fuzzy Hash: 61319C31019341AFC300EF64C9919EFB7E8AED2320F848A1DF4D593191EB20AA49CB63

Function 009EE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 009EE645

Strings

1#IND, xrefs: 009EF83D
1#INF, xrefs: 009EF852
1#QNAN, xrefs: 009EF84B
1#SNAN, xrefs: 009EF844

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1b711c3142b040f98cf46034eddf0027e847a30cbfbfbc2da8137817919d16bd
Instruction ID: 9a17c6a51bda713a98e7bdc21e914ed41bf513280367e568c1e3a16778d8be2e
Opcode Fuzzy Hash: 1b711c3142b040f98cf46034eddf0027e847a30cbfbfbc2da8137817919d16bd
Instruction Fuzzy Hash: FFC27B71E046698FDB26CF29CD507EAB7B9EB88305F1445EAD40DE7240E778AE818F40

Function 00A2648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A264DC
CoInitialize.OLE32(00000000), ref: 00A26639
CoCreateInstance.OLE32(00A4FCF8,00000000,00000001,00A4FB68,?), ref: 00A26650
CoUninitialize.OLE32 ref: 00A268D4

Strings

.lnk, xrefs: 00A264BA, 00A26524, 00A265E0

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: d54e600a314fe6cd2bae3373421a26288958bf8067bc17030d275fc553c765fd
Instruction ID: 53b77725e8391a768d9a926d109ee1476dee6d4bbdd948e3531353e5864f449b
Opcode Fuzzy Hash: d54e600a314fe6cd2bae3373421a26288958bf8067bc17030d275fc553c765fd
Instruction Fuzzy Hash: 5AD15971509211AFC304EF24C981AABB7E8FFD4714F10496DF5958B291EB70ED05CBA2

Function 00A322DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00A322E8

Part of subcall function 00A2E4EC: GetWindowRect.USER32(?,?), ref: 00A2E504

GetDesktopWindow.USER32 ref: 00A32312
GetWindowRect.USER32(00000000), ref: 00A32319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00A32355
GetCursorPos.USER32(?), ref: 00A32381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A323DF

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 25a8ad27974ca8d979c9a3dc02aa827480f577a46e5218da2d4852693bbd5643
Instruction ID: 2cdcd4af821321950805770e58e8e4cb74809d5fa3d8600e5753ca0d24141d2e
Opcode Fuzzy Hash: 25a8ad27974ca8d979c9a3dc02aa827480f577a46e5218da2d4852693bbd5643
Instruction Fuzzy Hash: DA313136505305AFC720DF58D848F9BBBA9FFC4720F000919F9899B181CB31EA09CB92

Function 00A29B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00A29B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00A29C8B

Part of subcall function 00A23874: GetInputState.USER32 ref: 00A238CB
Part of subcall function 00A23874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A23966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00A29BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00A29C75

Strings

*.*, xrefs: 00A29B5D

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 6bbd0624ce43e713ecb2cbe2f26faee26434a5445c59ac449e510dd151ae9c92
Instruction ID: 378cd58322f87beacc6479569132ef829d5781698e36323ba74d6059fcde66db
Opcode Fuzzy Hash: 6bbd0624ce43e713ecb2cbe2f26faee26434a5445c59ac449e510dd151ae9c92
Instruction Fuzzy Hash: 70418275900219AFDF54DFA8D985BEF7BB4FF45710F20806AE805A2191EB319E84CF61

Function 009C997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 009C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009C9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 009C9A4E
GetSysColor.USER32(0000000F), ref: 009C9B23
SetBkColor.GDI32(?,00000000), ref: 009C9B36

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 1a459b23b8e37a45301f39436a863fe71529ebc222c6d9151e1025a3a53d02ec
Instruction ID: 62b537907a7d67a0ea312199cb1b48316d5b8c18727d7f17e9b3e4b6e5a19a25
Opcode Fuzzy Hash: 1a459b23b8e37a45301f39436a863fe71529ebc222c6d9151e1025a3a53d02ec
Instruction Fuzzy Hash: 59A1D471A08448BEE725AB2C9C9DF7F269DEB82340F15450DF502DA6D1CA3AAD02D273

Function 00A31806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A3307A
Part of subcall function 00A3304E: _wcslen.LIBCMT ref: 00A3309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00A3185D
WSAGetLastError.WSOCK32 ref: 00A31884
bind.WSOCK32(00000000,?,00000010), ref: 00A318DB
WSAGetLastError.WSOCK32 ref: 00A318E6
closesocket.WSOCK32(00000000), ref: 00A31915

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 3814ba863cbe27fff83e839a4606a9362cd10e542c35c57f3b58a6756d5cb17a
Instruction ID: 2a3ad5a6edf16d820107cc2e6ff66887f4456422b6ccfac1354c7ef338f243c7
Opcode Fuzzy Hash: 3814ba863cbe27fff83e839a4606a9362cd10e542c35c57f3b58a6756d5cb17a
Instruction Fuzzy Hash: A051C575A00200AFDB10EF64C986F6A77E5ABC5728F08809CF9059F3D3D771AD418BA1

Function 00A41C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00A41CC0
IsWindowEnabled.USER32 ref: 00A41CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00A41CDB
IsIconic.USER32 ref: 00A41CE9
IsZoomed.USER32 ref: 00A41CF7

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: eb3fa40c15b4c4b171f48b3539da929165bee3d45de2fd0b5f722ae9a7f54f91
Instruction ID: 0e819a6e4a7402727c534912e263e94837bb79f217098d367a654b07f624a8f6
Opcode Fuzzy Hash: eb3fa40c15b4c4b171f48b3539da929165bee3d45de2fd0b5f722ae9a7f54f91
Instruction Fuzzy Hash: 4021B5397412115FD7208F1ADC84B6A7BE5EFC5325F198068E84ACB351D772DC82CB90

Function 009B8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 009B83E8
VUUU, xrefs: 009F5DF0
VUUU, xrefs: 009B83FA
ERCP, xrefs: 009B813C
VUUU, xrefs: 009B843C

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 63d82742efc292becbebeb850f4e74bb5147b64462e31cb8e9648e9af991f441
Instruction ID: 9cc6848b3205bb5faa2c19819d3972b3e3ea5606902a4e76a62e493f96b364a0
Opcode Fuzzy Hash: 63d82742efc292becbebeb850f4e74bb5147b64462e31cb8e9648e9af991f441
Instruction Fuzzy Hash: F7A27E70A0021ECBDF24CF58C9407FEB7B9BB58324F2585AAEA15A7284DB749D81CF50

Function 00A1AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00A1AAAC
SetKeyboardState.USER32(00000080), ref: 00A1AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00A1AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00A1AB88

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5bc0bb15bb136986d1ef0a53e2601a61e4a81a2d0b3557d6ad1bb2f708a543b8
Instruction ID: 45ead741bea10eb86749f3bf4d7fd176c9e0a77c02465a0d59b6729d15969758
Opcode Fuzzy Hash: 5bc0bb15bb136986d1ef0a53e2601a61e4a81a2d0b3557d6ad1bb2f708a543b8
Instruction Fuzzy Hash: 98312770A4A298AEEB30CB64CC05BFA7BB6AF65320F04421AF085561D1D3758DC1C766

Function 009EBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009EBB7F

Part of subcall function 009E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009ED7D1,00000000,00000000,00000000,00000000,?,009ED7F8,00000000,00000007,00000000,?,009EDBF5,00000000), ref: 009E29DE
Part of subcall function 009E29C8: GetLastError.KERNEL32(00000000,?,009ED7D1,00000000,00000000,00000000,00000000,?,009ED7F8,00000000,00000007,00000000,?,009EDBF5,00000000,00000000), ref: 009E29F0

GetTimeZoneInformation.KERNEL32 ref: 009EBB91
WideCharToMultiByte.KERNEL32(00000000,?,00A8121C,000000FF,?,0000003F,?,?), ref: 009EBC09
WideCharToMultiByte.KERNEL32(00000000,?,00A81270,000000FF,?,0000003F,?,?,?,00A8121C,000000FF,?,0000003F,?,?), ref: 009EBC36

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: c15a2466e24f65d06f2fc7671028a2f309c766b99db2f227ef4a69cb42de5636
Instruction ID: aaaaf913e1899505c02a8cb7b6dac258b1f0a5a5e93be60d582257bd9fcf5ac9
Opcode Fuzzy Hash: c15a2466e24f65d06f2fc7671028a2f309c766b99db2f227ef4a69cb42de5636
Instruction Fuzzy Hash: 7B31D970904285DFCB12DFAADC8156EBBBCFF457107144669E094D72A1E7309D02CB50

Function 00A2CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00A2CE89
GetLastError.KERNEL32(?,00000000), ref: 00A2CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00A2CEFE

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 9fb56f887ed73fc74e613a976f26c63d8933df3b527aeba091d556e73bf83997
Instruction ID: 00a9b235cf43bb2c09bb5f487f3bed7df3d775b218ee9c111fe5bf51f222d637
Opcode Fuzzy Hash: 9fb56f887ed73fc74e613a976f26c63d8933df3b527aeba091d556e73bf83997
Instruction Fuzzy Hash: CC21CFB5500715ABDB20DFA9E948BABB7FCEB40368F10842EE546D2151E770EE058B50

Function 00A18298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00A182AA

Strings

|, xrefs: 00A182DA
(, xrefs: 00A182F0

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 5a69e77b233001365b8f625190bc6bcc8d577af5e2946692af764f7776b19913
Instruction ID: e208765db2e345f3db2b51da7536e1feda1889dc8f3de2318d50bd073cfceff9
Opcode Fuzzy Hash: 5a69e77b233001365b8f625190bc6bcc8d577af5e2946692af764f7776b19913
Instruction Fuzzy Hash: A5323775A007059FC728CF59C480AAAB7F1FF48710B15C56EE4AADB3A1EB74E981CB44

Function 00A25C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A25CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00A25D17
FindClose.KERNEL32(?), ref: 00A25D5F

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: edb11a503409fb24746b1feda37a0045f62af66e4b7512dabfdc4503748dc702
Instruction ID: 4e7af548a5b0bb1f05490d1f007bdfbdf3ec4bbb55bb58649b685bec2ac4af06
Opcode Fuzzy Hash: edb11a503409fb24746b1feda37a0045f62af66e4b7512dabfdc4503748dc702
Instruction Fuzzy Hash: 1D518A74A04A019FC714DF28D494A96B7E4FF89324F14856EE95A8B3A2DB30ED05CF91

Function 009E2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 009E271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009E2724
UnhandledExceptionFilter.KERNEL32(?), ref: 009E2731

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a258fab7153988a998b8706ee8b99b4ff26553a6d4fc5c66bea62b2dc1ec5fd5
Instruction ID: c484b94debdbbbfe4f8a543eb836c9a920da8250a22079aacfbe44e427515394
Opcode Fuzzy Hash: a258fab7153988a998b8706ee8b99b4ff26553a6d4fc5c66bea62b2dc1ec5fd5
Instruction Fuzzy Hash: 5B31D374941218ABCB21DF68DD897DCBBB8AF48710F5081EAE80CA7260E7709F818F44

Function 00A251CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A251DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00A25238
SetErrorMode.KERNEL32(00000000), ref: 00A252A1

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 0180730f1ba883ce4d1a382b107ac65c67d4f2e7c947cb6fc9103345ad6c7f45
Instruction ID: 31c24129756efb349930215ac0490ecc509c4ab7f6b73d483b31bd2f5bf8401e
Opcode Fuzzy Hash: 0180730f1ba883ce4d1a382b107ac65c67d4f2e7c947cb6fc9103345ad6c7f45
Instruction Fuzzy Hash: 08312D75A00518DFDB00DF94D884EEDBBB5FF49314F148099E8099B392DB72E856CB50

Function 00A116C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 009CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 009D0668
Part of subcall function 009CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 009D0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A1170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A1173A
GetLastError.KERNEL32 ref: 00A1174A

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 73b8e568def45883830ef335f34259c7c34df6a756c9be3ad9a8cb4069baf473
Instruction ID: 2395d02fec8b0a0132d4becbb5e807d1fd5e134bac1c0d10c49d4c4d12282178
Opcode Fuzzy Hash: 73b8e568def45883830ef335f34259c7c34df6a756c9be3ad9a8cb4069baf473
Instruction Fuzzy Hash: D811C4B1400304AFD718DF54DC86EAAB7BDEB84714B20852EE05657691EB71BC418A60

Function 00A1D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A1D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00A1D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A1D650

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: cdb07281ab2c767ede9f9c1f5740b1df964194fcbae51fb332830136f791d1e0
Instruction ID: 5d9c48738ed9337e34514d63e75943c64ddd562ef7ee7d17e662864ac49d7a29
Opcode Fuzzy Hash: cdb07281ab2c767ede9f9c1f5740b1df964194fcbae51fb332830136f791d1e0
Instruction Fuzzy Hash: BB113C75E05228BBDB208F999C45FEFBBBCEB45B60F108115F918E7290D6B05A058BA1

Function 00A11663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00A1168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A116A1
FreeSid.ADVAPI32(?), ref: 00A116B1

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 1aa9657e1b201c656a1de4b085107bc6f94d3a21a56b742e59ffb65ab6979eb0
Instruction ID: ebd3d8a511850b95cb0ed4c8fbe2e84ca154deb08f5f603e49e0a6015a36c5e0
Opcode Fuzzy Hash: 1aa9657e1b201c656a1de4b085107bc6f94d3a21a56b742e59ffb65ab6979eb0
Instruction Fuzzy Hash: A3F04479A41308FBDB00CFE08C89AAEBBBCEB08210F004860E500E2180E331AA448A50

Function 00A0D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00A0D28C

Strings

X64, xrefs: 00A0D2A8

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: a3e108eabe38fae1b0eed6b6bb4b15975881b8958f7db7819b0b02074aade5e8
Instruction ID: 144cf3897e6c0309a26312df2698fd4e194a995e84848b53109f30d114a54769
Opcode Fuzzy Hash: a3e108eabe38fae1b0eed6b6bb4b15975881b8958f7db7819b0b02074aade5e8
Instruction Fuzzy Hash: 05D0C9B980212DEBCB90CB90EC88DD9B37CBB08315F100555F106A2040D73495498F10

Function 009DCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 3958abfc4af0146f9f13e3d878220cc8f0e16d5ea75774e28ec8ff456b8f7064
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 69023DB1E4011A9BDF14CFA9C9806ADFBF5EF88314F25856AD919E7380D731AD41CB90

Function 00A268EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A26918
FindClose.KERNEL32(00000000), ref: 00A26961

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f9a4bd353566c98d195000d1d517f159d194ad11133f8f5070f15eef5d5eb931
Instruction ID: e931351df9d1d6e7db0f4327eaa283f07b74e904141133262e9b91ce27df741b
Opcode Fuzzy Hash: f9a4bd353566c98d195000d1d517f159d194ad11133f8f5070f15eef5d5eb931
Instruction Fuzzy Hash: 0A11D0756042109FC710DF69D484A26BBE0FF85328F04C6A9F4698F2A2CB70EC45CB90

Function 00A237B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00A34891,?,?,00000035,?), ref: 00A237E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00A34891,?,?,00000035,?), ref: 00A237F4

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 7e4744c70e58a6819ef512c496dcaac6f0d67716df5f1368df316dcb8068a227
Instruction ID: 81b47441fbce023c914018064a6a361280fbbb1ac2ed48a52064de96a6c6bd8e
Opcode Fuzzy Hash: 7e4744c70e58a6819ef512c496dcaac6f0d67716df5f1368df316dcb8068a227
Instruction Fuzzy Hash: 42F05C756012282BDB1057A55C4CFEB3A6DDFC5770F000131F109D2180C5605900C7B0

Function 00A1B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00A1B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00A1B270

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 81c58710f475acfcd0a55d7a6ccaec0b816bfc55dc2a040d1910516f9074c2c6
Instruction ID: 6cb9acfd2ecf46c2160c6f45c77f08a81ced8ede0b6c75966cd3a7d4c8b5128f
Opcode Fuzzy Hash: 81c58710f475acfcd0a55d7a6ccaec0b816bfc55dc2a040d1910516f9074c2c6
Instruction Fuzzy Hash: 66F06D7480424DABDB05CFA0C805BEE7BB0FF04315F008009F955A5191C37982059FA4

Function 00A110BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A111FC), ref: 00A110D4
CloseHandle.KERNEL32(?,?,00A111FC), ref: 00A110E9

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 2562b638abd1ee6013f4703e25c4d2a334e8393c6de501057b6bf82a9a4aa172
Instruction ID: f2318f37ff68d89b56ee924733b86c873cb76774a05f50684da14c411e634023
Opcode Fuzzy Hash: 2562b638abd1ee6013f4703e25c4d2a334e8393c6de501057b6bf82a9a4aa172
Instruction Fuzzy Hash: 3FE04F36405610AEE7252B51FC05F7377A9EB44320F10882DF5A6804B1DB626C90DB10

Function 009BCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00A00C40

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: fbad1df71af95623abfb42d0eff45885b54635c0c0894d60f653efc9e8c45e5e
Instruction ID: f258e8909a8ad4a86c769e1d6f365bbb9686a7787cbbc905669147f9da1d1a78
Opcode Fuzzy Hash: fbad1df71af95623abfb42d0eff45885b54635c0c0894d60f653efc9e8c45e5e
Instruction Fuzzy Hash: 40329CB4900218DBCF14DF90DA80FFDBBB9BF45324F104469E806AB292DB75AE45CB61

Function 009E676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,009E6766,?,?,00000008,?,?,009EFEFE,00000000), ref: 009E6998

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 24f5fd1b9624c1c65646486a486442566d78ac61b7a1670b541e44bfa1c018a8
Instruction ID: 670440682664be4fdfacdaf3f52c05c56e728cf6941ba1cefc3747a88bda7f6e
Opcode Fuzzy Hash: 24f5fd1b9624c1c65646486a486442566d78ac61b7a1670b541e44bfa1c018a8
Instruction Fuzzy Hash: D4B14A31610648DFD71ACF29C48AB657BE0FF553A4F258658E899CF2A2C335ED91CB40

Function 009CB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00A0851F

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6cbcd922a1bdd407b6e47ecf77d9eb521f0304bffecea6a2f15bea3b7878660c
Instruction ID: e7b72e90a2201f6cfce7ae9445dbdb87aedddd8ab680461a945e6422462060eb
Opcode Fuzzy Hash: 6cbcd922a1bdd407b6e47ecf77d9eb521f0304bffecea6a2f15bea3b7878660c
Instruction Fuzzy Hash: 44126F71D002299FCB14CF58D881BEEB7B5FF48710F14819AE849EB295EB349E81CB95

Function 00A2EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00A2EABD

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: e408211454807b06981b127848ee9c5d84702f562a537bf3bcd6caadefcb1559
Instruction ID: aee23cd92386dae957953f74aa8e5889ffe32e2662422971e06f95d5b24bebac
Opcode Fuzzy Hash: e408211454807b06981b127848ee9c5d84702f562a537bf3bcd6caadefcb1559
Instruction Fuzzy Hash: A1E012352002149FC710DF59D404E9AF7E9AF99770F00842AFC49C7251D6B0A8418B91

Function 009D09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,009D03EE), ref: 009D09DA

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 608a5b45a60680066cbad08a401b810d73c052c34361b76a4376e9e7fce20a6e
Instruction ID: f3530986c7a95518667bb9bcb42d68b2f9ab9f21f9f3a8667121f17fada8e0e7
Opcode Fuzzy Hash: 608a5b45a60680066cbad08a401b810d73c052c34361b76a4376e9e7fce20a6e
Instruction Fuzzy Hash:

Function 009D781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 009D798B

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 7fbdfa165fb24a6f7d7d65a9fbef004606a6bce2f807e56400ac8e6a0069a096
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 34517A726CC6456BDB3885E888E97BFE38D9B52340F18C90BD886D7382F615DE01E351

Function 009E6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0fedc35ddabc896dbaf38dfb8f3112e04df0187874e9a3eb5a7b5284db40dae
Instruction ID: 5e450c53d97052a72b0daee04798df6b6fd559b718c09591b60f60e6f48b9422
Opcode Fuzzy Hash: d0fedc35ddabc896dbaf38dfb8f3112e04df0187874e9a3eb5a7b5284db40dae
Instruction Fuzzy Hash: C3323422D28F814DD7239675DC22335A65DAFB73C6F14C737F81AB59AAEB28C8834101

Function 009CCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f8f7c325306c386597b5d8c91dbb467df48289179852be76c1c84c3bb92b20
Instruction ID: a122cb1e2a649ba6a2113172833fddbeaac55d4ded0b6c8baace5b6f06936827
Opcode Fuzzy Hash: 23f8f7c325306c386597b5d8c91dbb467df48289179852be76c1c84c3bb92b20
Instruction Fuzzy Hash: 6A321572E0011D8BDF28CF69E490B7D7BB1EB45360F298A6AD48ACB2D1D234DD81DB41

Function 009B7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616427079aacec5e93d4dea3b57289da749bebc0f083632fb7a908bd74254938
Instruction ID: 36a1159224b1d30cc19585566d70011f8f9e29b6da924210b78b306b6b98ff9d
Opcode Fuzzy Hash: 616427079aacec5e93d4dea3b57289da749bebc0f083632fb7a908bd74254938
Instruction Fuzzy Hash: 43229070A0460ADFDF14CFA4C981BFEB7B5FF84310F214629E916AB291EB399951CB50

Function 009B91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515d2a0ba91102ba9dbedaf2b2b2fd37ddb26071eb9a0a4c64137eabf034d22a
Instruction ID: 9e45313cdf795d05ddcf8e11e0c01722289e66bb6aa38af5d1421ccc6bca3924
Opcode Fuzzy Hash: 515d2a0ba91102ba9dbedaf2b2b2fd37ddb26071eb9a0a4c64137eabf034d22a
Instruction Fuzzy Hash: 0E02E6B1E0020AEBDF04DF54D981BAEB7B5FF44310F108569E91A9B2A1E735EE50CB91

Function 009E9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20033740c568a4db0edbf1e2fb97e40221bfe297eb58dc7a876b86a259dfbd29
Instruction ID: 351837fadb2e6bf5abf5c3eea090794b816ea73f73ae4b2df29d8e84c4cb8921
Opcode Fuzzy Hash: 20033740c568a4db0edbf1e2fb97e40221bfe297eb58dc7a876b86a259dfbd29
Instruction Fuzzy Hash: CFB1E221D2AF414DD62396798831336B65CBFFB6E6F91D71BFC2678D22EB2285834140

Function 009D1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 150fcad0b3c6c7bdc0f484975f9f4248cff034e7524db4f2663e518836169aae
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 769177732480A35ADB2D463E857403EFFE55A923A131A879FD4F2CA3C5FE24C954D620

Function 009D1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: a3bde4dafd8bae8e6592c6bf8bd1b36a53a173e23dd53b4ade3a1dfbc1251e26
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 2491657324D0A34ADB69433D857403EFFE55AA23A131A879FE4F2DB2C5EE24C554E620

Function 009D19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 6a00eeae14a85ee583f9ef3325ce3bd2d03af0a7319936bd0fc8e76a2128fb4c
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 3891A5732890A31EDB2D427A957403DFFE55A923A131A879FD4F2CB2C5FE28C554D620

Function 009D7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1efc15b5003af0db1fe32a8192d87fff25c54b7413983f60162849546675829
Instruction ID: e192519952c7f6e5d07d96fd7505d2071cde8a565b510a94c7da2358d297f626
Opcode Fuzzy Hash: a1efc15b5003af0db1fe32a8192d87fff25c54b7413983f60162849546675829
Instruction Fuzzy Hash: 336149712C870956DA3499F88D96BBFE39CDF81700F50CD1BE882DB382F6199E428355

Function 009D7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe87f11933c2e123c2256182df63008dbea2f235c0e64e4ece02c66b21cde48
Instruction ID: 198443dfa35e58beb5b4575c227e311db0cedb9993e4a46488c768daa230857b
Opcode Fuzzy Hash: abe87f11933c2e123c2256182df63008dbea2f235c0e64e4ece02c66b21cde48
Instruction Fuzzy Hash: AD618A312C870966DA384AE88952BBFE38E9F82704F10CD5BE843CB3D1F615ED42C265

Function 009D1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 3f75e17496baee08beb0ede08b0005ca0f7ff60efa6885f02097bd7e2605c75d
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 6C8198776480A31DDB2D867A853403EFFE55A923A131A879FD4F2CB3D1EE24C554E620

Function 00A22046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae63dbd9acfe95e3bec775cf50f406a14deaa2772825e58e593b25dd2c96b06
Instruction ID: 80bc3f258333fc510c69557b35d07b31ac7ac196cdde44b005352c20b4d7b81d
Opcode Fuzzy Hash: 2ae63dbd9acfe95e3bec775cf50f406a14deaa2772825e58e593b25dd2c96b06
Instruction Fuzzy Hash: 6221A5326206118BD728CFB9C82277A73E5A754310F15863EE4A7C77D0DE35AD04CB80

Function 00A32ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A32B30
DeleteObject.GDI32(00000000), ref: 00A32B43
DestroyWindow.USER32 ref: 00A32B52
GetDesktopWindow.USER32 ref: 00A32B6D
GetWindowRect.USER32(00000000), ref: 00A32B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00A32CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00A32CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A32CF8
GetClientRect.USER32(00000000,?), ref: 00A32D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A32D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A32D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A32D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A32D80
GlobalLock.KERNEL32(00000000), ref: 00A32D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A32D98
GlobalUnlock.KERNEL32(00000000), ref: 00A32DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A32DA8
GlobalFree.KERNEL32(00000000), ref: 00A32DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A32DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00A4FC38,00000000), ref: 00A32DDB
GlobalFree.KERNEL32(00000000), ref: 00A32DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00A32E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00A32E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A32E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A3303F

Strings

, xrefs: 00A32FC5
static, xrefs: 00A32D3A, 00A32E91
AutoIt v3, xrefs: 00A32CF2
DISPLAY, xrefs: 00A32EA2

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 80a72a286ae1ca0330ddc0ec6dcf1480db8a843d68119e77af097cdcfda033d4
Instruction ID: 2737a82be34c29512add8bafc4dd5820359aa7b406fb94d2627596595e4b7a72
Opcode Fuzzy Hash: 80a72a286ae1ca0330ddc0ec6dcf1480db8a843d68119e77af097cdcfda033d4
Instruction Fuzzy Hash: BC028079500204AFDB14DFA4CD89EAE7BB9FF89320F008118F919AB2A1D7759D02CB60

Function 00A470D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00A4712F
GetSysColorBrush.USER32(0000000F), ref: 00A47160
GetSysColor.USER32(0000000F), ref: 00A4716C
SetBkColor.GDI32(?,000000FF), ref: 00A47186
SelectObject.GDI32(?,?), ref: 00A47195
InflateRect.USER32(?,000000FF,000000FF), ref: 00A471C0
GetSysColor.USER32(00000010), ref: 00A471C8
CreateSolidBrush.GDI32(00000000), ref: 00A471CF
FrameRect.USER32(?,?,00000000), ref: 00A471DE
DeleteObject.GDI32(00000000), ref: 00A471E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00A47230
FillRect.USER32(?,?,?), ref: 00A47262
GetWindowLongW.USER32(?,000000F0), ref: 00A47284

Part of subcall function 00A473E8: GetSysColor.USER32(00000012), ref: 00A47421
Part of subcall function 00A473E8: SetTextColor.GDI32(?,?), ref: 00A47425
Part of subcall function 00A473E8: GetSysColorBrush.USER32(0000000F), ref: 00A4743B
Part of subcall function 00A473E8: GetSysColor.USER32(0000000F), ref: 00A47446
Part of subcall function 00A473E8: GetSysColor.USER32(00000011), ref: 00A47463
Part of subcall function 00A473E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A47471
Part of subcall function 00A473E8: SelectObject.GDI32(?,00000000), ref: 00A47482
Part of subcall function 00A473E8: SetBkColor.GDI32(?,00000000), ref: 00A4748B
Part of subcall function 00A473E8: SelectObject.GDI32(?,?), ref: 00A47498
Part of subcall function 00A473E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00A474B7
Part of subcall function 00A473E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A474CE
Part of subcall function 00A473E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00A474DB

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: e32fd16e61fc5865537cda0a751a5663f64f0e5c73d0b84fc55b8d9a9cf0d2eb
Instruction ID: 6176da9667a41fa75ebaac83b0444f9e04d585371ad2291b2cf4526410da515c
Opcode Fuzzy Hash: e32fd16e61fc5865537cda0a751a5663f64f0e5c73d0b84fc55b8d9a9cf0d2eb
Instruction Fuzzy Hash: 2DA1BF7A009341AFD750DFA4DC48A5FBBA9FBCA330F100B19F966961A1D772E801CB52

Function 009C8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 009C8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00A06AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00A06AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00A06F43

Part of subcall function 009C8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,009C8BE8,?,00000000,?,?,?,?,009C8BBA,00000000,?), ref: 009C8FC5

SendMessageW.USER32(?,00001053), ref: 00A06F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00A06F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00A06FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00A06FB7

Strings

0, xrefs: 00A06DCF

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 9327aaaea5510ef955a6d1f4f266a7ad46e1fef904255b7050e48657f8d07e4e
Instruction ID: 17e819ff82de86bb53ec98c80b99dcfffcad4039f8767c1024051cfca7d335cc
Opcode Fuzzy Hash: 9327aaaea5510ef955a6d1f4f266a7ad46e1fef904255b7050e48657f8d07e4e
Instruction Fuzzy Hash: DE12CE34601205DFDB25DF14E884BAAB7F5FB85314F14446DF4998B2A2CB36EC62CB92

Function 00A32711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00A3273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00A3286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00A328A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00A328B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00A32900
GetClientRect.USER32(00000000,?), ref: 00A3290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00A32955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A32964
GetStockObject.GDI32(00000011), ref: 00A32974
SelectObject.GDI32(00000000,00000000), ref: 00A32978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00A32988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A32991
DeleteDC.GDI32(00000000), ref: 00A3299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00A329C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00A329DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00A32A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00A32A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00A32A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00A32A77
GetStockObject.GDI32(00000011), ref: 00A32A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00A32A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00A32A97

Strings

msctls_progress32, xrefs: 00A32A13
static, xrefs: 00A3294F, 00A32A71
AutoIt v3, xrefs: 00A328F8
DISPLAY, xrefs: 00A3295A

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: a5cf7889a00397d3170380ca7efd1a88bef7b00e34a0ed9c45ff4c616c2d382a
Instruction ID: 5dad171c5f4021c4842192c7fd9495736aacaab5c00292a7ce496dac8d7d6cea
Opcode Fuzzy Hash: a5cf7889a00397d3170380ca7efd1a88bef7b00e34a0ed9c45ff4c616c2d382a
Instruction Fuzzy Hash: 34B16E75A00215AFEB14DFA8CC45FAEBBA9FB48720F008514F915EB290D770AD01CBA0

Function 00A24ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A24AED
GetDriveTypeW.KERNEL32(?,00A4CB68,?,\\.\,00A4CC08), ref: 00A24BCA
SetErrorMode.KERNEL32(00000000,00A4CB68,?,\\.\,00A4CC08), ref: 00A24D36

Strings

CDROM, xrefs: 00A24BFB
PhysicalDrive, xrefs: 00A24B76
SCSI, xrefs: 00A24C8A
Removable, xrefs: 00A24C10, 00A24C15
SATA, xrefs: 00A24CD0
\\.\, xrefs: 00A24B3F
ATAPI, xrefs: 00A24C91
USB, xrefs: 00A24CB4
RAMDisk, xrefs: 00A24BF4
Virtual, xrefs: 00A24CE5
MMC, xrefs: 00A24CDE
SAS, xrefs: 00A24CC9
iSCSI, xrefs: 00A24CC2
1394, xrefs: 00A24C9F
Fibre, xrefs: 00A24CAD
FileBackedVirtual, xrefs: 00A24CEC
Unknown, xrefs: 00A24BED, 00A24C83
RAID, xrefs: 00A24CBB
Network, xrefs: 00A24C02
Fixed, xrefs: 00A24C09
ATA, xrefs: 00A24C98
SSA, xrefs: 00A24CA6
SSD, xrefs: 00A24C4A

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: b02ca796061343281509e04176914bb8771e2459350ce06ad92e62b08c1c56ed
Instruction ID: 9e5989b4b96fc2044d34e13e8541006c035746ffeb729aab79fdddb7e4eb30ca
Opcode Fuzzy Hash: b02ca796061343281509e04176914bb8771e2459350ce06ad92e62b08c1c56ed
Instruction Fuzzy Hash: D361B330605915AFCB15DF2CDE81AA977B0FB4C314B24C436F80AAB692DB75DD41DB41

Function 00A473E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00A47421
SetTextColor.GDI32(?,?), ref: 00A47425
GetSysColorBrush.USER32(0000000F), ref: 00A4743B
GetSysColor.USER32(0000000F), ref: 00A47446
CreateSolidBrush.GDI32(?), ref: 00A4744B
GetSysColor.USER32(00000011), ref: 00A47463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A47471
SelectObject.GDI32(?,00000000), ref: 00A47482
SetBkColor.GDI32(?,00000000), ref: 00A4748B
SelectObject.GDI32(?,?), ref: 00A47498
InflateRect.USER32(?,000000FF,000000FF), ref: 00A474B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A474CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00A474DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A4752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A47554
InflateRect.USER32(?,000000FD,000000FD), ref: 00A47572
DrawFocusRect.USER32(?,?), ref: 00A4757D
GetSysColor.USER32(00000011), ref: 00A4758E
SetTextColor.GDI32(?,00000000), ref: 00A47596
DrawTextW.USER32(?,00A470F5,000000FF,?,00000000), ref: 00A475A8
SelectObject.GDI32(?,?), ref: 00A475BF
DeleteObject.GDI32(?), ref: 00A475CA
SelectObject.GDI32(?,?), ref: 00A475D0
DeleteObject.GDI32(?), ref: 00A475D5
SetTextColor.GDI32(?,?), ref: 00A475DB
SetBkColor.GDI32(?,?), ref: 00A475E5

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: cca5e553069754e11114cf2c02e3e96b301a3e70c26226f5a492e25f8510f8dc
Instruction ID: 93b0f657b0dafe477eca6d4ea1e28a50d0defb911fac03c039ed9a51ed4f323e
Opcode Fuzzy Hash: cca5e553069754e11114cf2c02e3e96b301a3e70c26226f5a492e25f8510f8dc
Instruction Fuzzy Hash: FE617F7A901218AFDF00DFA8DC48EAEBFB9EB89320F114115F915BB2A1D7759941CF90

Function 00A40FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A41128
GetDesktopWindow.USER32 ref: 00A4113D
GetWindowRect.USER32(00000000), ref: 00A41144
GetWindowLongW.USER32(?,000000F0), ref: 00A41199
DestroyWindow.USER32(?), ref: 00A411B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A411ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A4120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A4121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00A41232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00A41245
IsWindowVisible.USER32(00000000), ref: 00A412A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00A412BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00A412D0
GetWindowRect.USER32(00000000,?), ref: 00A412E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00A4130E
GetMonitorInfoW.USER32(00000000,?), ref: 00A41328
CopyRect.USER32(?,?), ref: 00A4133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00A413AA

Strings

0, xrefs: 00A410D3
(, xrefs: 00A4131B
tooltips_class32, xrefs: 00A411E6

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 088154527b55c806d41dff51d474d3b50a29e62d22ec13ccb65406f505c346d5
Instruction ID: e99fd5c7238578acf88b57e74a5348a69a5ef6eca5bb695d4ed5ef88c54fcabf
Opcode Fuzzy Hash: 088154527b55c806d41dff51d474d3b50a29e62d22ec13ccb65406f505c346d5
Instruction Fuzzy Hash: 77B18975608341AFD750DF64C984BAABBE4FFC8350F00891CF9999B2A1D771E885CB92

Function 009C8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009C8968
GetSystemMetrics.USER32(00000007), ref: 009C8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009C899B
GetSystemMetrics.USER32(00000008), ref: 009C89A3
GetSystemMetrics.USER32(00000004), ref: 009C89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 009C89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 009C89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 009C8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 009C8A3C
GetClientRect.USER32(00000000,000000FF), ref: 009C8A5A
GetStockObject.GDI32(00000011), ref: 009C8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 009C8A81

Part of subcall function 009C912D: GetCursorPos.USER32(?), ref: 009C9141
Part of subcall function 009C912D: ScreenToClient.USER32(00000000,?), ref: 009C915E
Part of subcall function 009C912D: GetAsyncKeyState.USER32(00000001), ref: 009C9183
Part of subcall function 009C912D: GetAsyncKeyState.USER32(00000002), ref: 009C919D

SetTimer.USER32(00000000,00000000,00000028,009C90FC), ref: 009C8AA8

Strings

AutoIt v3 GUI, xrefs: 009C8A20

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: e24420d8a7c7d17ad51bf5553b7f33621c714a141aa7834bb1bfd7efe70181c9
Instruction ID: eb9b47a7775cfe36cd72f6a01052e72d7e669347f3362541a9c6de474f02c94f
Opcode Fuzzy Hash: e24420d8a7c7d17ad51bf5553b7f33621c714a141aa7834bb1bfd7efe70181c9
Instruction Fuzzy Hash: 6FB18E39A00209AFDB14DFA8DC45FAE7BB5FB88314F104229FA15A72D0DB74E852CB55

Function 00A10D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A11114
Part of subcall function 00A110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00A10B9B,?,?,?), ref: 00A11120
Part of subcall function 00A110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A10B9B,?,?,?), ref: 00A1112F
Part of subcall function 00A110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A10B9B,?,?,?), ref: 00A11136
Part of subcall function 00A110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A1114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A10DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A10E29
GetLengthSid.ADVAPI32(?), ref: 00A10E40
GetAce.ADVAPI32(?,00000000,?), ref: 00A10E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A10E96
GetLengthSid.ADVAPI32(?), ref: 00A10EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00A10EB5
HeapAlloc.KERNEL32(00000000), ref: 00A10EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A10EDD
CopySid.ADVAPI32(00000000), ref: 00A10EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A10F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A10F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A10F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A10F6E
HeapFree.KERNEL32(00000000), ref: 00A10F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A10F7E
HeapFree.KERNEL32(00000000), ref: 00A10F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A10F8E
HeapFree.KERNEL32(00000000), ref: 00A10F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00A10FA1
HeapFree.KERNEL32(00000000), ref: 00A10FA8

Part of subcall function 00A11193: GetProcessHeap.KERNEL32(00000008,00A10BB1,?,00000000,?,00A10BB1,?), ref: 00A111A1
Part of subcall function 00A11193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00A10BB1,?), ref: 00A111A8
Part of subcall function 00A11193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00A10BB1,?), ref: 00A111B7

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: e9a85ec086d5c943f732cc2c98cc8d04d20a5f8d739553f784a0d33714aa2700
Instruction ID: a0139222219aa5d5c4ab991dd1b496366fa287b667e3d544a7ec6f3a5791d0df
Opcode Fuzzy Hash: e9a85ec086d5c943f732cc2c98cc8d04d20a5f8d739553f784a0d33714aa2700
Instruction Fuzzy Hash: 2A71BC7690121AEBDF20DFA4DC45FEEBBB8BF45310F044215F918E6190D7719986CB60

Function 00A3C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A3C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00A4CC08,00000000,?,00000000,?,?), ref: 00A3C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00A3C5A4
_wcslen.LIBCMT ref: 00A3C5F4
_wcslen.LIBCMT ref: 00A3C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00A3C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00A3C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00A3C84D
RegCloseKey.ADVAPI32(?), ref: 00A3C881
RegCloseKey.ADVAPI32(00000000), ref: 00A3C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00A3C960

Strings

REG_QWORD, xrefs: 00A3C8C3
REG_BINARY, xrefs: 00A3C913
REG_SZ, xrefs: 00A3C644
REG_MULTI_SZ, xrefs: 00A3C6F5
REG_DWORD, xrefs: 00A3C804
REG_EXPAND_SZ, xrefs: 00A3C5CD

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 5131241443c8f62fe578c1a84c973ff193305a797eed707ad6654f2a9a12a0fd
Instruction ID: 72885f896940fe9a5a92b4f4614416b5dc40338713334070198200044e36d2b5
Opcode Fuzzy Hash: 5131241443c8f62fe578c1a84c973ff193305a797eed707ad6654f2a9a12a0fd
Instruction Fuzzy Hash: 341257356042019FD714DF24C981B6AB7E5EF88724F14899DF88AAB3A2DB31ED41CB91

Function 00A4091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A409C6
_wcslen.LIBCMT ref: 00A40A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A40A54
_wcslen.LIBCMT ref: 00A40A8A
_wcslen.LIBCMT ref: 00A40B06
_wcslen.LIBCMT ref: 00A40B81

Part of subcall function 009CF9F2: _wcslen.LIBCMT ref: 009CF9FD

Part of subcall function 00A12BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A12BFA

Strings

GETTOTALCOUNT, xrefs: 00A409F2, 00A40A17
ISCHECKED, xrefs: 00A40CE1
EXISTS, xrefs: 00A40B7C, 00A40B97
UNCHECK, xrefs: 00A40D3E
EXPAND, xrefs: 00A40BF8
GETSELECTED, xrefs: 00A40C4E
CHECK, xrefs: 00A40A85, 00A40AA0
SELECT, xrefs: 00A40D11
GETITEMCOUNT, xrefs: 00A40C1E
COLLAPSE, xrefs: 00A40B01, 00A40B1C
GETTEXT, xrefs: 00A40C97

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: eafa07336744a4e98ff48b0c9c94be4eb522344043d20495e8522fffd4dcf92e
Instruction ID: bb7932a5126daa62ab67429c50b36e1024f86d268940dc4d29c24385c2f3ec3a
Opcode Fuzzy Hash: eafa07336744a4e98ff48b0c9c94be4eb522344043d20495e8522fffd4dcf92e
Instruction Fuzzy Hash: AFE188396083018FCB14DF24C550E6AB7E2BFD8354B14895DF99A9B3A2D730ED46DB82

Function 00A3C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A3B6AE,?,?), ref: 00A3C9B5
_wcslen.LIBCMT ref: 00A3C9F1
_wcslen.LIBCMT ref: 00A3CA68
_wcslen.LIBCMT ref: 00A3CA9E
_wcslen.LIBCMT ref: 00A3CAF9
_wcslen.LIBCMT ref: 00A3CB2F
_wcslen.LIBCMT ref: 00A3CB7F

Strings

HKCU, xrefs: 00A3CBCE
HKEY_CURRENT_USER, xrefs: 00A3CBBD
HKCR, xrefs: 00A3CB29, 00A3CB2E
HKEY_LOCAL_MACHINE, xrefs: 00A3CA62, 00A3CA67
HKEY_CURRENT_CONFIG, xrefs: 00A3CB79, 00A3CB7E
HKCC, xrefs: 00A3CBAC
HKEY_USERS, xrefs: 00A3CBDF
HKEY_CLASSES_ROOT, xrefs: 00A3CAF3, 00A3CAF8
HKU, xrefs: 00A3CBF0
HKLM, xrefs: 00A3CA98, 00A3CA9D

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 5403bdb30f9accdfd6713510aa5c29929d8acb3b0164a736e7d736cf9201cdc5
Instruction ID: 91312ac234ac0654563277cfea0d4df99b844cca41d6ca41e9cacf9377768923
Opcode Fuzzy Hash: 5403bdb30f9accdfd6713510aa5c29929d8acb3b0164a736e7d736cf9201cdc5
Instruction Fuzzy Hash: 7371C733A0052A8BCB10DF7CCD516BE73A6AFA07B4F258529F855BB284E635CD45C391

Function 00A4833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A4835A
_wcslen.LIBCMT ref: 00A4836E
_wcslen.LIBCMT ref: 00A48391
_wcslen.LIBCMT ref: 00A483B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A483F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00A4361A,?), ref: 00A4844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A48487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00A484CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A48501
FreeLibrary.KERNEL32(?), ref: 00A4850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A4851D
DestroyIcon.USER32(?), ref: 00A4852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A48549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A48555

Strings

.exe, xrefs: 00A48388
.icl, xrefs: 00A48368
.dll, xrefs: 00A483AB

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 110c012dcadac3c2a0d1f824b0af17284e282d32c6e33bf08272bf8870829699
Instruction ID: f5e9821b7fc0676b83a920501777a8df20a9eeb545986d8f19dcbc0ca3e995e4
Opcode Fuzzy Hash: 110c012dcadac3c2a0d1f824b0af17284e282d32c6e33bf08272bf8870829699
Instruction Fuzzy Hash: 4A610475540215BFEB14DF64DC81BFE77A8BF84B21F108609F815DA1D1DBB9A980CBA0

Function 009B7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-end, xrefs: 009B78D9
Unterminated group of comments, xrefs: 009F528C
', xrefs: 009F5169
#pragma compile, xrefs: 009B77D3
#comments-start, xrefs: 009B785F, 009B78B1
#requireadmin, xrefs: 009B77FF
#cs, xrefs: 009B7873, 009B78C5
Cannot parse #include, xrefs: 009F5279
", xrefs: 009F5153
#notrayicon, xrefs: 009B77E7
#include, xrefs: 009B7847
#ce, xrefs: 009B78ED
#OnAutoItStartRegister, xrefs: 009B7817
Bad directive syntax error, xrefs: 009F519A
#include-once, xrefs: 009B782F

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: d19e338e4ddc2a95f73ef7197090cf9e0428ae9d08cedb261c46fe041106eac6
Instruction ID: 37eafa460d4b7c582b8da005149149012d83ee1be94cdd56b4da123f161e4218
Opcode Fuzzy Hash: d19e338e4ddc2a95f73ef7197090cf9e0428ae9d08cedb261c46fe041106eac6
Instruction Fuzzy Hash: 52811971A44209BBDB10AFA0CE82FFF77A8AFC5310F014525FA05AB196EB70D901D7A1

Function 00A23E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00A23EF8
_wcslen.LIBCMT ref: 00A23F03
_wcslen.LIBCMT ref: 00A23F5A
_wcslen.LIBCMT ref: 00A23F98
GetDriveTypeW.KERNEL32(?), ref: 00A23FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A2401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A24059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A24087

Strings

open , xrefs: 00A23FE5
closed, xrefs: 00A23F08, 00A23F2D, 00A23F46, 00A23F7E, 00A23F97
set cd door , xrefs: 00A24028
type cdaudio alias cd wait, xrefs: 00A24001
close, xrefs: 00A23EFE, 00A23F18
open, xrefs: 00A23F54, 00A23F59
wait, xrefs: 00A24044
close cd wait, xrefs: 00A24072

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: ff476f15b0dccad6dc082b50832c177edb8ed0639d1035706e1b744779f3af90
Instruction ID: d2d66cf6df273fc57fd6c1ce15fef2f081195084ce34e05cfc5601e56f790a29
Opcode Fuzzy Hash: ff476f15b0dccad6dc082b50832c177edb8ed0639d1035706e1b744779f3af90
Instruction Fuzzy Hash: 717124326083219FC710DF28D980AAAB7F4FF99764F00892DF9969B251EB34ED45CB51

Function 00A15A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00A15A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00A15A40
SetWindowTextW.USER32(?,?), ref: 00A15A57
GetDlgItem.USER32(?,000003EA), ref: 00A15A6C
SetWindowTextW.USER32(00000000,?), ref: 00A15A72
GetDlgItem.USER32(?,000003E9), ref: 00A15A82
SetWindowTextW.USER32(00000000,?), ref: 00A15A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00A15AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00A15AC3
GetWindowRect.USER32(?,?), ref: 00A15ACC
_wcslen.LIBCMT ref: 00A15B33
SetWindowTextW.USER32(?,?), ref: 00A15B6F
GetDesktopWindow.USER32 ref: 00A15B75
GetWindowRect.USER32(00000000), ref: 00A15B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00A15BD3
GetClientRect.USER32(?,?), ref: 00A15BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00A15C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00A15C2F

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 82e0ed93c7e68f7ef3c52e04a81ff43c2910b78747d2ffcf58c2f05e29c4bb75
Instruction ID: 3574e88c51b540606cc82ec2377dabfa63afeb59702adc8b0e43687c42d7e66b
Opcode Fuzzy Hash: 82e0ed93c7e68f7ef3c52e04a81ff43c2910b78747d2ffcf58c2f05e29c4bb75
Instruction Fuzzy Hash: B9718D35904B09EFDB20DFB8CE85AAEBBF5FF88714F104518E586A25A0D775E980CB50

Function 00A2FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00A2FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00A2FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00A2FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00A2FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00A2FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00A2FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00A2FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00A2FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00A2FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00A2FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00A2FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00A2FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00A2FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00A2FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00A2FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00A2FECC
GetCursorInfo.USER32(?), ref: 00A2FEDC
GetLastError.KERNEL32 ref: 00A2FF1E

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: bc6b02eaefc26cd80e9120fc9c0221fd6699e090ecf825f17ebe8782b5ec1353
Instruction ID: de991bdd7f95927cef7623c779c0eb316b0f65dc3c23662e34635568248cfcf5
Opcode Fuzzy Hash: bc6b02eaefc26cd80e9120fc9c0221fd6699e090ecf825f17ebe8782b5ec1353
Instruction Fuzzy Hash: 554162B0D043196EDB10DFBA9D8585EBFF8BF44364B50453AE11DE7281DB78A9018E90

Function 009D00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 009D00C6

Part of subcall function 009D00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00A8070C,00000FA0,D00E870A,?,?,?,?,009F23B3,000000FF), ref: 009D011C
Part of subcall function 009D00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,009F23B3,000000FF), ref: 009D0127
Part of subcall function 009D00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,009F23B3,000000FF), ref: 009D0138
Part of subcall function 009D00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 009D014E
Part of subcall function 009D00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 009D015C
Part of subcall function 009D00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 009D016A
Part of subcall function 009D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009D0195
Part of subcall function 009D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009D01A0

___scrt_fastfail.LIBCMT ref: 009D00E7

Part of subcall function 009D00A3: __onexit.LIBCMT ref: 009D00A9

Strings

WakeAllConditionVariable, xrefs: 009D0162
SleepConditionVariableCS, xrefs: 009D0154
kernel32.dll, xrefs: 009D0133
InitializeConditionVariable, xrefs: 009D0148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 009D0122

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: bdc38534d08bdedfe0d99dbb5e6c274639eeea9f97f690fb45a77b43584acdd1
Instruction ID: d48c008a765435e6c693f3c77bfef6123f8e985528f91dbd8f87f85676558915
Opcode Fuzzy Hash: bdc38534d08bdedfe0d99dbb5e6c274639eeea9f97f690fb45a77b43584acdd1
Instruction Fuzzy Hash: 3D21F93AA857107FE7509BE4AC05F6A7798FBC5F65F00853AF805A3391DBB598018A90

Function 00A130F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A1318D
_wcslen.LIBCMT ref: 00A131F8

Strings

CLASSNN, xrefs: 00A131F3, 00A13204
NAME, xrefs: 00A13335, 00A13346
CLASS, xrefs: 00A13188, 00A131A5
TEXT, xrefs: 00A1347C
INSTANCE, xrefs: 00A13453
REGEXPCLASS, xrefs: 00A13255, 00A13266

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 8f89dcc3e9f5980b801f5c08eb30cc220b2ce2b41dc987d68e063be0376bdc3c
Instruction ID: 32c1ac08f175fb1f6520bc2f30f009c804328823dbd84f33eb301227ebeb870c
Opcode Fuzzy Hash: 8f89dcc3e9f5980b801f5c08eb30cc220b2ce2b41dc987d68e063be0376bdc3c
Instruction Fuzzy Hash: D8E1C433A00516ABCF149FB8C8517EDBBB5BF94760F54811AE456E7240EB70AEC58790

Function 00A244C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00A4CC08), ref: 00A24527
_wcslen.LIBCMT ref: 00A2453B
_wcslen.LIBCMT ref: 00A24599
_wcslen.LIBCMT ref: 00A245F4
_wcslen.LIBCMT ref: 00A2463F
_wcslen.LIBCMT ref: 00A246A7

Part of subcall function 009CF9F2: _wcslen.LIBCMT ref: 009CF9FD

GetDriveTypeW.KERNEL32(?,00A76BF0,00000061), ref: 00A24743

Strings

ramdisk, xrefs: 00A246F1
network, xrefs: 00A2469D, 00A246A2
unknown, xrefs: 00A24708
fixed, xrefs: 00A24635, 00A2463A
cdrom, xrefs: 00A2458F, 00A24594
all, xrefs: 00A24531, 00A24536
removable, xrefs: 00A245EA, 00A245EF

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 15c86cc9636b3a1a2d4535d55342f44b2e01e7b40ea00d7842bf2ba400b6c353
Instruction ID: 647d2ea125f79c9f5604a2355dfecf4782a8ae8f5d72061e60c8e90609dacc3b
Opcode Fuzzy Hash: 15c86cc9636b3a1a2d4535d55342f44b2e01e7b40ea00d7842bf2ba400b6c353
Instruction Fuzzy Hash: EDB1C0316083229FC710DF2CE990A6AB7E5AFE9760F50892DF49AC7291D730DC45CB92

Function 00A33FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A4CC08), ref: 00A340BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00A340CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00A4CC08), ref: 00A340F2
FreeLibrary.KERNEL32(00000000,?,00A4CC08), ref: 00A3413E
StringFromGUID2.OLE32(?,?,00000028,?,00A4CC08), ref: 00A341A8
SysFreeString.OLEAUT32(00000009), ref: 00A34262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00A342C8
SysFreeString.OLEAUT32(?), ref: 00A342F2

Strings

kernel32.dll, xrefs: 00A340B6
GetModuleHandleExW, xrefs: 00A340C7

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: ad286833e96b1ed2b1c451f6ff9bf27226f0b83d15128d9b13bbb4bb5d009ed3
Instruction ID: 156e307954cf1706bbde66f5c8a847cd6eaaca47821fbad577bb8d4095404135
Opcode Fuzzy Hash: ad286833e96b1ed2b1c451f6ff9bf27226f0b83d15128d9b13bbb4bb5d009ed3
Instruction Fuzzy Hash: 44120B75A00215EFDB14DF94C884EAEBBB5FF89314F248099F909AB251D731ED46CBA0

Function 009B326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00A81990), ref: 009F2F8D
GetMenuItemCount.USER32(00A81990), ref: 009F303D
GetCursorPos.USER32(?), ref: 009F3081
SetForegroundWindow.USER32(00000000), ref: 009F308A
TrackPopupMenuEx.USER32(00A81990,00000000,?,00000000,00000000,00000000), ref: 009F309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009F30A9

Strings

0, xrefs: 009B327D

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: ea22da2b144dd811056a45794025bf5473e29b6f3c5b1d78f824522bd4f6f8f7
Instruction ID: a113da405183bf562627eb863b03a654fffff8622ddb7a1b079077f176d4207d
Opcode Fuzzy Hash: ea22da2b144dd811056a45794025bf5473e29b6f3c5b1d78f824522bd4f6f8f7
Instruction Fuzzy Hash: 5A710974640209BEEB21CF65CD49FEABF68FF45334F208216F6246A1E0C7B5A950DB91

Function 00A46CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00A46DEB

Part of subcall function 009B6B57: _wcslen.LIBCMT ref: 009B6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A46E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A46E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A46E94
DestroyWindow.USER32(?), ref: 00A46EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,009B0000,00000000), ref: 00A46EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A46EFD
GetDesktopWindow.USER32 ref: 00A46F16
GetWindowRect.USER32(00000000), ref: 00A46F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A46F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A46F4D

Part of subcall function 009C9944: GetWindowLongW.USER32(?,000000EB), ref: 009C9952

Strings

tooltips_class32, xrefs: 00A46E58, 00A46EDD
0, xrefs: 00A46D98

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 1ac11888ed71bdb696e3914b0460fcd16953a8f4fe76ec87d9e6c0043b61b87c
Instruction ID: 5cb4e18bfa2d4aa0d84180fb182f91ec55d1d910a9cf4bcbe68e6724865be6ff
Opcode Fuzzy Hash: 1ac11888ed71bdb696e3914b0460fcd16953a8f4fe76ec87d9e6c0043b61b87c
Instruction Fuzzy Hash: 28715678504344AFDB21CF58DC44BAABBF9FBCA314F04481DF99987261D775A90ACB12

Function 00A4911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 009C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009C9BB2

DragQueryPoint.SHELL32(?,?), ref: 00A49147

Part of subcall function 00A47674: ClientToScreen.USER32(?,?), ref: 00A4769A
Part of subcall function 00A47674: GetWindowRect.USER32(?,?), ref: 00A47710
Part of subcall function 00A47674: PtInRect.USER32(?,?,00A48B89), ref: 00A47720

SendMessageW.USER32(?,000000B0,?,?), ref: 00A491B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A491BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A491DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A49225
SendMessageW.USER32(?,000000B0,?,?), ref: 00A4923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00A49255
SendMessageW.USER32(?,000000B1,?,?), ref: 00A49277
DragFinish.SHELL32(?), ref: 00A4927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A49371

Strings

@GUI_DROPID, xrefs: 00A4929E
@GUI_DRAGFILE, xrefs: 00A49320
@GUI_DRAGID, xrefs: 00A492E9

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: cd5c644eb5e61d3ee4a8a36930bd20b2126906036432e17c28229bf409307ccf
Instruction ID: 3188bdaa03612d88bd9336db90c35859246b104a8d60111890f976e0406d3abd
Opcode Fuzzy Hash: cd5c644eb5e61d3ee4a8a36930bd20b2126906036432e17c28229bf409307ccf
Instruction Fuzzy Hash: 13617975108301AFC701EFA0DD89EAFBBE8EFC9760F00491EF595921A0DB719A49CB52

Function 00A2C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A2C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A2C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A2C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00A2C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00A2C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00A2C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A2C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A2C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A2C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A2C5F0
InternetCloseHandle.WININET(00000000), ref: 00A2C5FB

Strings

, xrefs: 00A2C575

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 9c905aeec8c543316ad756e8695b3a7eda3d15e90a9bb6f448f7e6bcc0b26862
Instruction ID: 1db7af1729661ec6923c75222df5988f2bbfed573e78e4906af89c63b42bda4b
Opcode Fuzzy Hash: 9c905aeec8c543316ad756e8695b3a7eda3d15e90a9bb6f448f7e6bcc0b26862
Instruction Fuzzy Hash: 3C518BB4140718BFDB21DFA8D988AAF7BFCFF49764F004429F94A96210DB75E9049B60

Function 00A4856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00A48592
GetFileSize.KERNEL32(00000000,00000000), ref: 00A485A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00A485AD
CloseHandle.KERNEL32(00000000), ref: 00A485BA
GlobalLock.KERNEL32(00000000), ref: 00A485C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00A485D7
GlobalUnlock.KERNEL32(00000000), ref: 00A485E0
CloseHandle.KERNEL32(00000000), ref: 00A485E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00A485F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00A4FC38,?), ref: 00A48611
GlobalFree.KERNEL32(00000000), ref: 00A48621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00A48641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00A48671
DeleteObject.GDI32(00000000), ref: 00A48699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A486AF

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 64160a114d55ba54db639e7a27e6cf4eb58f0e2fc1dd7ae272e6514f3e906713
Instruction ID: 4bdbdde5f61bebc298df79c9aa5ca1dc68918b0b734e38c7d7aa17def053e0ff
Opcode Fuzzy Hash: 64160a114d55ba54db639e7a27e6cf4eb58f0e2fc1dd7ae272e6514f3e906713
Instruction Fuzzy Hash: 1F412A79601204AFDB51DFA5DC48EAEBBB8EF8A721F104058F909E7260DB759902DB20

Function 00A214BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00A21502
VariantCopy.OLEAUT32(?,?), ref: 00A2150B
VariantClear.OLEAUT32(?), ref: 00A21517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00A215FB
VarR8FromDec.OLEAUT32(?,?), ref: 00A21657
VariantInit.OLEAUT32(?), ref: 00A21708
SysFreeString.OLEAUT32(?), ref: 00A2178C
VariantClear.OLEAUT32(?), ref: 00A217D8
VariantClear.OLEAUT32(?), ref: 00A217E7
VariantInit.OLEAUT32(00000000), ref: 00A21823

Strings

Default, xrefs: 00A216AF
%4d%02d%02d%02d%02d%02d, xrefs: 00A21625

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 3c8a5186f1826b3a5929b90c2030c102a51ec25cf8fbcebfa2d07acaa0f2ea49
Instruction ID: f9dfddbccab9c1fbf1d9b5640cb09b740217614061fe7ce8e5d49d96ad55b9c1
Opcode Fuzzy Hash: 3c8a5186f1826b3a5929b90c2030c102a51ec25cf8fbcebfa2d07acaa0f2ea49
Instruction Fuzzy Hash: 91D10471A00225EBDB10DFA9F885BBDB7B5BF95710F1080AAF446AB580DB30DD41DB62

Function 00A3B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

Part of subcall function 00A3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A3B6AE,?,?), ref: 00A3C9B5
Part of subcall function 00A3C998: _wcslen.LIBCMT ref: 00A3C9F1
Part of subcall function 00A3C998: _wcslen.LIBCMT ref: 00A3CA68
Part of subcall function 00A3C998: _wcslen.LIBCMT ref: 00A3CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A3B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A3B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00A3B80A
RegCloseKey.ADVAPI32(?), ref: 00A3B87E
RegCloseKey.ADVAPI32(?), ref: 00A3B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00A3B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A3B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00A3B922
FreeLibrary.KERNEL32(00000000), ref: 00A3B983
RegCloseKey.ADVAPI32(00000000), ref: 00A3B994

Strings

RegDeleteKeyExW, xrefs: 00A3B8FE
advapi32.dll, xrefs: 00A3B8ED

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 07d76e3b9bbacce9d9b8eb27597b4a2569bdc3097db465ab095a9b497a26e405
Instruction ID: fddc6b3fdc814afbf0d9bc4aaa5eeacbea7e58b7046460eb67bc5dfc0003e013
Opcode Fuzzy Hash: 07d76e3b9bbacce9d9b8eb27597b4a2569bdc3097db465ab095a9b497a26e405
Instruction Fuzzy Hash: 2BC19E34214201AFD710DF14C495F6ABBE6FF84318F14859CF59A8B2A2CB75ED46CBA1

Function 00A3255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A325D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00A325E8
CreateCompatibleDC.GDI32(?), ref: 00A325F4
SelectObject.GDI32(00000000,?), ref: 00A32601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00A3266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00A326AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00A326D0
SelectObject.GDI32(?,?), ref: 00A326D8
DeleteObject.GDI32(?), ref: 00A326E1
DeleteDC.GDI32(?), ref: 00A326E8
ReleaseDC.USER32(00000000,?), ref: 00A326F3

Strings

(, xrefs: 00A3268D

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 88f7178962ccc6f8dc676a0c2cf29ef050c305b92623b511ac107a3d06f8dfd4
Instruction ID: 5a345f86393b7cedfcbc9dddfe371c916ce956cd2881ab01eb9400afb3272efb
Opcode Fuzzy Hash: 88f7178962ccc6f8dc676a0c2cf29ef050c305b92623b511ac107a3d06f8dfd4
Instruction Fuzzy Hash: 3F61F279D00219EFCF14CFE8D985AAEBBB5FF88310F208529E959A7250E771A941CF50

Function 009EDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 009EDAA1

Part of subcall function 009ED63C: _free.LIBCMT ref: 009ED659
Part of subcall function 009ED63C: _free.LIBCMT ref: 009ED66B
Part of subcall function 009ED63C: _free.LIBCMT ref: 009ED67D
Part of subcall function 009ED63C: _free.LIBCMT ref: 009ED68F
Part of subcall function 009ED63C: _free.LIBCMT ref: 009ED6A1
Part of subcall function 009ED63C: _free.LIBCMT ref: 009ED6B3
Part of subcall function 009ED63C: _free.LIBCMT ref: 009ED6C5
Part of subcall function 009ED63C: _free.LIBCMT ref: 009ED6D7
Part of subcall function 009ED63C: _free.LIBCMT ref: 009ED6E9
Part of subcall function 009ED63C: _free.LIBCMT ref: 009ED6FB
Part of subcall function 009ED63C: _free.LIBCMT ref: 009ED70D
Part of subcall function 009ED63C: _free.LIBCMT ref: 009ED71F
Part of subcall function 009ED63C: _free.LIBCMT ref: 009ED731

_free.LIBCMT ref: 009EDA96

Part of subcall function 009E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009ED7D1,00000000,00000000,00000000,00000000,?,009ED7F8,00000000,00000007,00000000,?,009EDBF5,00000000), ref: 009E29DE
Part of subcall function 009E29C8: GetLastError.KERNEL32(00000000,?,009ED7D1,00000000,00000000,00000000,00000000,?,009ED7F8,00000000,00000007,00000000,?,009EDBF5,00000000,00000000), ref: 009E29F0

_free.LIBCMT ref: 009EDAB8
_free.LIBCMT ref: 009EDACD
_free.LIBCMT ref: 009EDAD8
_free.LIBCMT ref: 009EDAFA
_free.LIBCMT ref: 009EDB0D
_free.LIBCMT ref: 009EDB1B
_free.LIBCMT ref: 009EDB26
_free.LIBCMT ref: 009EDB5E
_free.LIBCMT ref: 009EDB65
_free.LIBCMT ref: 009EDB82
_free.LIBCMT ref: 009EDB9A

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 39cd6ffca6ccab5ff1434cf300e55408d0d3de82e8b736b5b88f62d56d34594b
Instruction ID: 8638577b8bd56717edcafd97b7ecdaee60fe7fc7fd2f34e2a64a197ea4c63604
Opcode Fuzzy Hash: 39cd6ffca6ccab5ff1434cf300e55408d0d3de82e8b736b5b88f62d56d34594b
Instruction Fuzzy Hash: 80316B316053889FEB23AB3AE946B5A77ECFF40310F165429E458D7192EF35ED408720

Function 00A1365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A1369C
_wcslen.LIBCMT ref: 00A136A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00A13797
GetClassNameW.USER32(?,?,00000400), ref: 00A1380C
GetDlgCtrlID.USER32(?), ref: 00A1385D
GetWindowRect.USER32(?,?), ref: 00A13882
GetParent.USER32(?), ref: 00A138A0
ScreenToClient.USER32(00000000), ref: 00A138A7
GetClassNameW.USER32(?,?,00000100), ref: 00A13921
GetWindowTextW.USER32(?,?,00000400), ref: 00A1395D

Strings

%s%u, xrefs: 00A13734

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 6c04c843a02c7eae1b714fcdfe26a93c78fe88261919c853cf121e7fb0ea1535
Instruction ID: 0f5e59332c40d16b72fc6687de39de9155e2d54bb0fa93dafeaff1e1f1371efa
Opcode Fuzzy Hash: 6c04c843a02c7eae1b714fcdfe26a93c78fe88261919c853cf121e7fb0ea1535
Instruction Fuzzy Hash: 4491D672204706AFDB19DF64C895FEAF7A8FF44350F008529F999D6190DB30EA85CBA1

Function 00A14954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00A14994
GetWindowTextW.USER32(?,?,00000400), ref: 00A149DA
_wcslen.LIBCMT ref: 00A149EB
CharUpperBuffW.USER32(?,00000000), ref: 00A149F7
_wcsstr.LIBVCRUNTIME ref: 00A14A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00A14A64
GetWindowTextW.USER32(?,?,00000400), ref: 00A14A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00A14AE6
GetClassNameW.USER32(?,?,00000400), ref: 00A14B20
GetWindowRect.USER32(?,?), ref: 00A14B8B

Strings

ThumbnailClass, xrefs: 00A14A6F, 00A14AF1

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: fe5d2104838e6c14326919bbd317d7b6c7c60be8814b045047a4678482cfeca5
Instruction ID: f4c14f605ad445c3aca7558bf5e87051621735cba0041fb65abe551eb7e63851
Opcode Fuzzy Hash: fe5d2104838e6c14326919bbd317d7b6c7c60be8814b045047a4678482cfeca5
Instruction Fuzzy Hash: 5E91B1750082059FDB04CF58C985FEAB7E8FF88354F04846AFD899A196DB30ED85CBA1

Function 00A1BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00A81990,000000FF,00000000,00000030), ref: 00A1BFAC
SetMenuItemInfoW.USER32(00A81990,00000004,00000000,00000030), ref: 00A1BFE1
Sleep.KERNEL32(000001F4), ref: 00A1BFF3
GetMenuItemCount.USER32(?), ref: 00A1C039
GetMenuItemID.USER32(?,00000000), ref: 00A1C056
GetMenuItemID.USER32(?,-00000001), ref: 00A1C082
GetMenuItemID.USER32(?,?), ref: 00A1C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A1C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A1C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A1C145

Strings

0, xrefs: 00A1BF3D

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: fd8aa227bc6719ac14d94e9b4e5d7c707a3ef5978742940340cbb2507ef118f8
Instruction ID: 61e7575c5c8d475c59e5ca68632ced0e5ebde23624a54037eccbef7d90b78d1d
Opcode Fuzzy Hash: fd8aa227bc6719ac14d94e9b4e5d7c707a3ef5978742940340cbb2507ef118f8
Instruction Fuzzy Hash: A561B2B498024AEFDF11CFA4CD88AEE7BB9FB46364F004155F805A7291C735AD86CB61

Function 00A3CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A3CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00A3CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A3CD48

Part of subcall function 00A3CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00A3CCAA
Part of subcall function 00A3CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00A3CCBD
Part of subcall function 00A3CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A3CCCF
Part of subcall function 00A3CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A3CD05
Part of subcall function 00A3CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A3CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00A3CCF3

Strings

RegDeleteKeyExW, xrefs: 00A3CCC9
advapi32.dll, xrefs: 00A3CCB8

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: e778385dbe94430aab6eb57ca113a27ce92213988bec6bc292fc2d14b2756933
Instruction ID: a6ee72b504704c4f9da4f349a3be501709c8188d6130610036e7bb8118612ec1
Opcode Fuzzy Hash: e778385dbe94430aab6eb57ca113a27ce92213988bec6bc292fc2d14b2756933
Instruction Fuzzy Hash: 5F316079902129BBD720CB95DC88EFFBB7CEF86760F000165B909E3140DB759A46DBA0

Function 00A23D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A23D40
_wcslen.LIBCMT ref: 00A23D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A23D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00A23DBE
RemoveDirectoryW.KERNEL32(?), ref: 00A23DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00A23E55
CloseHandle.KERNEL32(00000000), ref: 00A23E60
CloseHandle.KERNEL32(00000000), ref: 00A23E6B

Strings

:, xrefs: 00A23D82
\??\%s, xrefs: 00A23D5B
\, xrefs: 00A23D77

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 9ff6f517415533ef541c0175aed4a4061cc411db0c8e21a04d49841da86e1910
Instruction ID: 9c2324dbeab54c11aa44350bb4b094c7c345d460988b3b2e78b2be904752e2d1
Opcode Fuzzy Hash: 9ff6f517415533ef541c0175aed4a4061cc411db0c8e21a04d49841da86e1910
Instruction Fuzzy Hash: DA31B07AA00219ABDB20DFA4DC48FEB37BCEF8A710F1045B6F609D6160E77497458B24

Function 00A1E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A1E6B4

Part of subcall function 009CE551: timeGetTime.WINMM(?,?,00A1E6D4), ref: 009CE555

Sleep.KERNEL32(0000000A), ref: 00A1E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00A1E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00A1E727
SetActiveWindow.USER32 ref: 00A1E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00A1E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00A1E773
Sleep.KERNEL32(000000FA), ref: 00A1E77E
IsWindow.USER32 ref: 00A1E78A
EndDialog.USER32(00000000), ref: 00A1E79B

Strings

BUTTON, xrefs: 00A1E719

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 7d02a1a2e40d3dc3155b712495fad48d184553f7f01e0bfb968b16f36a25a2d0
Instruction ID: a0e9f4374583d36c55c65df8cc2dcf4a8527898fa4e21c3af7677630f6e64463
Opcode Fuzzy Hash: 7d02a1a2e40d3dc3155b712495fad48d184553f7f01e0bfb968b16f36a25a2d0
Instruction Fuzzy Hash: 1521C678201200AFFB00DFE0EC89F753BA9F796799F045434FC59821A1EB729C528B15

Function 00A1E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00A1EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00A1EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A1EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00A1EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00A1EAA7

Strings

open , xrefs: 00A1EA0C
play PlayMe, xrefs: 00A1EAA2
alias PlayMe, xrefs: 00A1EA36
status PlayMe mode, xrefs: 00A1EA58
close PlayMe, xrefs: 00A1EA6E, 00A1EA9B
play PlayMe wait, xrefs: 00A1EA91

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 04752d0fe162f4027b3fda444d372e63f4dc02e69e8fbdb6d6fdf8d6d6a6dd66
Instruction ID: 102d47924428f0a5d6d528274229f9d7d06557bccae52d162bdc4725dc520bf4
Opcode Fuzzy Hash: 04752d0fe162f4027b3fda444d372e63f4dc02e69e8fbdb6d6fdf8d6d6a6dd66
Instruction Fuzzy Hash: 7A115E31A9026979D720E7A1DD4AFFF7ABCFFD1F50F448829B915A20D1EAB00945C5B0

Function 00A19F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A1A012
SetKeyboardState.USER32(?), ref: 00A1A07D
GetAsyncKeyState.USER32(000000A0), ref: 00A1A09D
GetKeyState.USER32(000000A0), ref: 00A1A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00A1A0E3
GetKeyState.USER32(000000A1), ref: 00A1A0F4
GetAsyncKeyState.USER32(00000011), ref: 00A1A120
GetKeyState.USER32(00000011), ref: 00A1A12E
GetAsyncKeyState.USER32(00000012), ref: 00A1A157
GetKeyState.USER32(00000012), ref: 00A1A165
GetAsyncKeyState.USER32(0000005B), ref: 00A1A18E
GetKeyState.USER32(0000005B), ref: 00A1A19C

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: eb25f1fee6d8e6ebd89c8a2b59254a247b79d1d155a7773efc1a3923e33c62f0
Instruction ID: f46bbc6b98ae523ff53ab3f4fa577ac5c535243924db74f1788a26898591f363
Opcode Fuzzy Hash: eb25f1fee6d8e6ebd89c8a2b59254a247b79d1d155a7773efc1a3923e33c62f0
Instruction Fuzzy Hash: 1D51EA7490578439FB35EBB089107EBAFF55F22380F088599D5C6571C2DA649ACCC762

Function 00A15CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00A15CE2
GetWindowRect.USER32(00000000,?), ref: 00A15CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00A15D59
GetDlgItem.USER32(?,00000002), ref: 00A15D69
GetWindowRect.USER32(00000000,?), ref: 00A15D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00A15DCF
GetDlgItem.USER32(?,000003E9), ref: 00A15DDD
GetWindowRect.USER32(00000000,?), ref: 00A15DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00A15E31
GetDlgItem.USER32(?,000003EA), ref: 00A15E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A15E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00A15E67

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: c8c52ccac73c205cb8df567a66953392b97cb8a53b48fa56cbe2b330b926f3bd
Instruction ID: 36429e6562844c6ed416d5faa7485620df5a78aa29d00c4f87def67acc641332
Opcode Fuzzy Hash: c8c52ccac73c205cb8df567a66953392b97cb8a53b48fa56cbe2b330b926f3bd
Instruction Fuzzy Hash: AD511C74F00605AFDF18CFA8DD89AAEBBB5EB89310F148129F919E6290D7719E41CB50

Function 009C8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 009C8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,009C8BE8,?,00000000,?,?,?,?,009C8BBA,00000000,?), ref: 009C8FC5

DestroyWindow.USER32(?), ref: 009C8C81
KillTimer.USER32(00000000,?,?,?,?,009C8BBA,00000000,?), ref: 009C8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00A06973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,009C8BBA,00000000,?), ref: 00A069A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,009C8BBA,00000000,?), ref: 00A069B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,009C8BBA,00000000), ref: 00A069D4
DeleteObject.GDI32(00000000), ref: 00A069E6

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: f05d82fbce5254181c73ea7511cca4f03fe2ded4e660fb8d46ca915461a1cac9
Instruction ID: 9b6ed0a715d799f334f29d79016449b2caf9f668f7b74dd993de2e79b251373a
Opcode Fuzzy Hash: f05d82fbce5254181c73ea7511cca4f03fe2ded4e660fb8d46ca915461a1cac9
Instruction Fuzzy Hash: 5361DE34902704DFCB21DF64D948B2677F5FB81366F10491CE0829B9A0CB39AD92DFA2

Function 009C9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 009C9944: GetWindowLongW.USER32(?,000000EB), ref: 009C9952

GetSysColor.USER32(0000000F), ref: 009C9862

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: fd5da273b144489d1dc9774b612e5be3ef7ac61b25b2fc04f83137eceba0eab7
Instruction ID: 05e2f22e2a0207db8c3f266200631a37cafde0a79d24640290e2db4815f5d9c6
Opcode Fuzzy Hash: fd5da273b144489d1dc9774b612e5be3ef7ac61b25b2fc04f83137eceba0eab7
Instruction Fuzzy Hash: 4F41C4359056449FDB209F789C88FB93B69EB47330F144609F9A6871E2C731AD42DB12

Function 00A196E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,009FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00A19717
LoadStringW.USER32(00000000,?,009FF7F8,00000001), ref: 00A19720

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,009FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00A19742
LoadStringW.USER32(00000000,?,009FF7F8,00000001), ref: 00A19745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00A19866

Strings

^ ERROR, xrefs: 00A197FB
Line %d:, xrefs: 00A197A0
%s (%d) : ==> %s: %s %s, xrefs: 00A1984A
Line %d (File "%s"):, xrefs: 00A1978F
Error: , xrefs: 00A1981D

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: cf570d00fa211da56dfc8b83fae0149b37765d2db655d066991abb3f2d4199b6
Instruction ID: a50b6876cc902bee03fd5746d710e13165f9a4d5ad66a725b64a673de2cb820c
Opcode Fuzzy Hash: cf570d00fa211da56dfc8b83fae0149b37765d2db655d066991abb3f2d4199b6
Instruction Fuzzy Hash: EE414E72800219AACF04EBE0DE96FEFB778AF95350F604425F60572092EB356F49CB61

Function 00A106DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 009B6B57: _wcslen.LIBCMT ref: 009B6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00A107A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00A107BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00A107DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00A10804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00A1082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A10837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A1083C

Strings

\CLSID, xrefs: 00A10724
\IPC$, xrefs: 00A10784
SOFTWARE\Classes\, xrefs: 00A1070E

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: c66c75a6cedf56f39e6e008a2d4196fac9fb23894dd3f3b920ba4f0d00b2c5a3
Instruction ID: 9fe0e438065fb0880a3ccedbe7b0f3f8b8d90ba241c7a6dcf35ebbc7ba028101
Opcode Fuzzy Hash: c66c75a6cedf56f39e6e008a2d4196fac9fb23894dd3f3b920ba4f0d00b2c5a3
Instruction Fuzzy Hash: F8413A76C10228ABDF11EFA4DD85DEDB778FF84360F548129E905A31A0EB709E44CB90

Function 00A43F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00A4403B
CreateCompatibleDC.GDI32(00000000), ref: 00A44042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00A44055
SelectObject.GDI32(00000000,00000000), ref: 00A4405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A44068
DeleteDC.GDI32(00000000), ref: 00A44072
GetWindowLongW.USER32(?,000000EC), ref: 00A4407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00A44092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00A4409E

Strings

static, xrefs: 00A43FD3

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 9605c3b188d766fcac9286ba8f4c0f70b59c692159793d2a8525a502b2a4246b
Instruction ID: 572a63d933b7700cba7429161aec2b9f5e3c1f26e95f38b9e6cee3cd98e6be51
Opcode Fuzzy Hash: 9605c3b188d766fcac9286ba8f4c0f70b59c692159793d2a8525a502b2a4246b
Instruction Fuzzy Hash: E6316F3A501215BBDF219FA8DC09FDA3B68FF8E324F110211FA19E61A0C77AD821DB54

Function 00A33C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A33C5C
CoInitialize.OLE32(00000000), ref: 00A33C8A
CoUninitialize.OLE32 ref: 00A33C94
_wcslen.LIBCMT ref: 00A33D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00A33DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00A33ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00A33F0E
CoGetObject.OLE32(?,00000000,00A4FB98,?), ref: 00A33F2D
SetErrorMode.KERNEL32(00000000), ref: 00A33F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A33FC4
VariantClear.OLEAUT32(?), ref: 00A33FD8

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 080aad3c8c0b8a2f75333d79df28559f169850f7c0df64a0ab3fd1d7e64fe654
Instruction ID: af5d18882e15e361e6902960bf98977fdd8fa3d189d637ab82dd6a8b51cffea7
Opcode Fuzzy Hash: 080aad3c8c0b8a2f75333d79df28559f169850f7c0df64a0ab3fd1d7e64fe654
Instruction Fuzzy Hash: 3CC14676608301AFDB00DF68C98492BBBE9FF89754F10491DF98A9B210D771EE46CB52

Function 00A27A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A27AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00A27B8F
SHGetDesktopFolder.SHELL32(?), ref: 00A27BA3
CoCreateInstance.OLE32(00A4FD08,00000000,00000001,00A76E6C,?), ref: 00A27BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00A27C74
CoTaskMemFree.OLE32(?,?), ref: 00A27CCC
SHBrowseForFolderW.SHELL32(?), ref: 00A27D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A27D7A
CoTaskMemFree.OLE32(00000000), ref: 00A27D81
CoTaskMemFree.OLE32(00000000), ref: 00A27DD6
CoUninitialize.OLE32 ref: 00A27DDC

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: b1db3eae1d733c0bc58147919ad7450290d750258e0bda95e6409cd6af334f0d
Instruction ID: 91016a266c607ce908cef428d184d32c9d13e384df32c62ceaac1d65c3a17a18
Opcode Fuzzy Hash: b1db3eae1d733c0bc58147919ad7450290d750258e0bda95e6409cd6af334f0d
Instruction Fuzzy Hash: ACC12D75A04115AFCB14DFA8D884DAEBBF9FF48314B1484A9F41A9B361D731EE41CB90

Function 00A4541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A45504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A45515
CharNextW.USER32(00000158), ref: 00A45544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A45585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A4559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A455AC

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: fe76d8183697a39caada9025213406e6eef89801c3956c5f4437d98a313c0de2
Instruction ID: 1496f82447da9fb0e9a31112736c89966abfa0f814276271af68b3e1d4de5ee4
Opcode Fuzzy Hash: fe76d8183697a39caada9025213406e6eef89801c3956c5f4437d98a313c0de2
Instruction Fuzzy Hash: E261AF38D04608EFDF10DFB0CC849FE7BB9EB86320F108145F925AA292D7758A81DB61

Function 00A0FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00A0FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00A0FB08
VariantInit.OLEAUT32(?), ref: 00A0FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00A0FB3A
VariantCopy.OLEAUT32(?,?), ref: 00A0FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00A0FBA1
VariantClear.OLEAUT32(?), ref: 00A0FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00A0FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A0FBCC
VariantClear.OLEAUT32(?), ref: 00A0FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A0FBE9

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: bcdd7128a34f02c4ba3ce8daea79b9c05145f2b3e6c87a1949fde2c85c26a7a2
Instruction ID: b40dd89aac1c6236e2bbd0137ed37a151f86dc53c0947e78ec63572fb4f05b0a
Opcode Fuzzy Hash: bcdd7128a34f02c4ba3ce8daea79b9c05145f2b3e6c87a1949fde2c85c26a7a2
Instruction Fuzzy Hash: 04415239A0021DDFCB10DFA8D9589ADBBB9EF49354F008065E956A7261C731A946CFA0

Function 00A19C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A19CA1
GetAsyncKeyState.USER32(000000A0), ref: 00A19D22
GetKeyState.USER32(000000A0), ref: 00A19D3D
GetAsyncKeyState.USER32(000000A1), ref: 00A19D57
GetKeyState.USER32(000000A1), ref: 00A19D6C
GetAsyncKeyState.USER32(00000011), ref: 00A19D84
GetKeyState.USER32(00000011), ref: 00A19D96
GetAsyncKeyState.USER32(00000012), ref: 00A19DAE
GetKeyState.USER32(00000012), ref: 00A19DC0
GetAsyncKeyState.USER32(0000005B), ref: 00A19DD8
GetKeyState.USER32(0000005B), ref: 00A19DEA

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 89da377f0760cd21d41d1c515bd40ebf840d27d9b42c633cfbb30ccf66d1aa35
Instruction ID: dcdb3648b194cddd0aec583a08bd1fa227529d81b87590705df8ef8b0c30e0e0
Opcode Fuzzy Hash: 89da377f0760cd21d41d1c515bd40ebf840d27d9b42c633cfbb30ccf66d1aa35
Instruction Fuzzy Hash: 9441D7386047C96DFF719764D8243F7BEF06F12344F08805ADAC65A5C2DBA599C8C7A2

Function 00A3055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A305BC
inet_addr.WSOCK32(?), ref: 00A3061C
gethostbyname.WSOCK32(?), ref: 00A30628
IcmpCreateFile.IPHLPAPI ref: 00A30636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A306C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A306E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00A307B9
WSACleanup.WSOCK32 ref: 00A307BF

Strings

Ping, xrefs: 00A30676

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: f5b3440a736839ae5a0e990ca79f01d1df4fdd86a32004e58982eb42c01d26df
Instruction ID: 8c2cfb687f54cbdff145ee04f796c52be050cc54b2db4ce79dfcfb93d19b93f2
Opcode Fuzzy Hash: f5b3440a736839ae5a0e990ca79f01d1df4fdd86a32004e58982eb42c01d26df
Instruction Fuzzy Hash: AC91AD356086019FD320DF19C999F1ABBE0AF84328F1485A9F46A8B7A2C771FC41CF91

Function 00A38CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00A38CF3

Part of subcall function 00A18E54: _wcslen.LIBCMT ref: 00A18E77

_wcslen.LIBCMT ref: 00A38D4E
_wcslen.LIBCMT ref: 00A38D9C
_wcslen.LIBCMT ref: 00A38DDC
_wcslen.LIBCMT ref: 00A38E6E

Strings

stdcall, xrefs: 00A38DD6, 00A38DDB
cdecl, xrefs: 00A38D48, 00A38D4D
none, xrefs: 00A38E65, 00A38E6A
winapi, xrefs: 00A38D96, 00A38D9B

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: afae8c74372ff2c9bdb73baf39f1f10a9515cb61ed1460870ab45e233653a06d
Instruction ID: 5a30904ba4909c855364ff7ddad25beb740f80b70d67693e70f450b40710136b
Opcode Fuzzy Hash: afae8c74372ff2c9bdb73baf39f1f10a9515cb61ed1460870ab45e233653a06d
Instruction Fuzzy Hash: 4F518031A042169BCF14DF68C9509BEB7B5BFA4764F218229F926E72C4DB39DE40C790

Function 00A3372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00A33774
CoUninitialize.OLE32 ref: 00A3377F
CoCreateInstance.OLE32(?,00000000,00000017,00A4FB78,?), ref: 00A337D9
IIDFromString.OLE32(?,?), ref: 00A3384C
VariantInit.OLEAUT32(?), ref: 00A338E4
VariantClear.OLEAUT32(?), ref: 00A33936

Strings

Failed to create object, xrefs: 00A337E4, 00A3389A
NULL Pointer assignment, xrefs: 00A3381E
Invalid parameter, xrefs: 00A33865

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 6a1f249b2598454a6f54f0545c0cb93ea2606a8718d7b2a9975a14153ed63681
Instruction ID: ada3e1103057484b579dc11dc248242513f779fafad1c07423ad3f639f1283c0
Opcode Fuzzy Hash: 6a1f249b2598454a6f54f0545c0cb93ea2606a8718d7b2a9975a14153ed63681
Instruction Fuzzy Hash: AD61CF76608311AFD710DF54C989FAABBE8EF89710F00491DF9859B291C770EE49CB92

Function 00A23388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00A233CF

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00A233F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00A23504
Line %d (File "%s"):, xrefs: 00A23443, 00A2345C
Incorrect parameters to object property !, xrefs: 00A234AB
^ ERROR , xrefs: 00A2349E
"%s" (%d) : ==> %s:, xrefs: 00A23522
Error: , xrefs: 00A234D1

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: f50636304e5514e3bcaf47c9c3f33b7d1ec4ea3813dba2c642e5301b15ff7844
Instruction ID: f0a943241cdeaef1783d0544aaa2142c25d26a63c2dda67381847a21b32eb153
Opcode Fuzzy Hash: f50636304e5514e3bcaf47c9c3f33b7d1ec4ea3813dba2c642e5301b15ff7844
Instruction Fuzzy Hash: 38518F32900219BADF14EBE0DE56FEEB7B8EF44350F608465F50972052EB252F99DB60

Function 00A1B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A1B5FC
_wcslen.LIBCMT ref: 00A1B608
_wcslen.LIBCMT ref: 00A1B64D
_wcslen.LIBCMT ref: 00A1B68C
_wcslen.LIBCMT ref: 00A1B6C7

Strings

REMOVE, xrefs: 00A1B602, 00A1B607
KEYS, xrefs: 00A1B647, 00A1B64C
EXISTS, xrefs: 00A1B686, 00A1B68B
APPEND, xrefs: 00A1B6C1, 00A1B6C6

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 4e59b8f818ee0f20d7a67b24111175b3fdb09b0b8f0b0237520b92052c2ad36d
Instruction ID: 8be4c8f801bcca797022e7407deed8d27556da6f3ec830ec0b227275f0f18ef8
Opcode Fuzzy Hash: 4e59b8f818ee0f20d7a67b24111175b3fdb09b0b8f0b0237520b92052c2ad36d
Instruction Fuzzy Hash: D041B632A111269BCB105F7D8DA05FE77A5ABB0BA4B244529E475DB284E731CDC1C7A0

Function 00A25393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A253A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00A25416
GetLastError.KERNEL32 ref: 00A25420
SetErrorMode.KERNEL32(00000000,READY), ref: 00A254A7

Strings

UNKNOWN, xrefs: 00A25444
READONLY, xrefs: 00A25452
READY, xrefs: 00A25460, 00A25468
NOTREADY, xrefs: 00A2544B
INVALID, xrefs: 00A25459

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: efb5cce037743ddb7493e45cd82e4f2feacf871664b0373f85deb510d78b9e7d
Instruction ID: 6fac663f91e6c8feeebb6bc5e5a6d002e50db1fcaa8e908522910e4bddc13775
Opcode Fuzzy Hash: efb5cce037743ddb7493e45cd82e4f2feacf871664b0373f85deb510d78b9e7d
Instruction Fuzzy Hash: D631CC39E006149FC710EF6CD984BAABBB5FF45315F148066E505CB292D771DD82CB90

Function 00A43C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00A43C79
SetMenu.USER32(?,00000000), ref: 00A43C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A43D10
IsMenu.USER32(?), ref: 00A43D24
CreatePopupMenu.USER32 ref: 00A43D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A43D5B
DrawMenuBar.USER32 ref: 00A43D63

Strings

0, xrefs: 00A43C54
F, xrefs: 00A43D4E

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 852bf5f01dc2a3a0bc169920880e127dd5564ee8ef19c4f0a54e67af450e8027
Instruction ID: 7ab319317752eaee639a8a7ed17bdf817906cbffc60d0f7d7610d59e4a6b4140
Opcode Fuzzy Hash: 852bf5f01dc2a3a0bc169920880e127dd5564ee8ef19c4f0a54e67af450e8027
Instruction Fuzzy Hash: A4416B79A01209EFDF14CFA4D884AAE7BB5FF89350F140429F94A97360D731AA11CF90

Function 00A11EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

Part of subcall function 00A13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A13CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00A11F64
GetDlgCtrlID.USER32 ref: 00A11F6F
GetParent.USER32 ref: 00A11F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A11F8E
GetDlgCtrlID.USER32(?), ref: 00A11F97
GetParent.USER32(?), ref: 00A11FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A11FAE

Strings

ListBox, xrefs: 00A11F21
ComboBox, xrefs: 00A11EEC

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: f7c1728ccfa3a70648730736c7c42924091486faa87f265fec0e693e292485c8
Instruction ID: 4fca932d030e989b4bed3d6d6d83b103a4dfefa2acaa45d4b5582357b7a0000e
Opcode Fuzzy Hash: f7c1728ccfa3a70648730736c7c42924091486faa87f265fec0e693e292485c8
Instruction Fuzzy Hash: 3F21C579900114BBCF04EFA0CD85EFEBBB8EF46320F108116FA5567291DB795949DB60

Function 00A11FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

Part of subcall function 00A13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A13CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00A12043
GetDlgCtrlID.USER32 ref: 00A1204E
GetParent.USER32 ref: 00A1206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A1206D
GetDlgCtrlID.USER32(?), ref: 00A12076
GetParent.USER32(?), ref: 00A1208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A1208D

Strings

ListBox, xrefs: 00A12002
ComboBox, xrefs: 00A11FCD

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 02d4ea57da75c268249163bfb352d63974c29538bdfe441dd11e8cbd0b5d2208
Instruction ID: 6199ad2faabc8f3f35d3e79e824b38e154a2fe7e2cd3a12f302cfd870ca8e407
Opcode Fuzzy Hash: 02d4ea57da75c268249163bfb352d63974c29538bdfe441dd11e8cbd0b5d2208
Instruction Fuzzy Hash: 7B21C579900214BBCF14EFA0CC85EFEBBB8AF49350F108405B95967191D6798955DB60

Function 00A43A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A43A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A43AA0
GetWindowLongW.USER32(?,000000F0), ref: 00A43AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A43AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A43B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00A43BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00A43BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00A43BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00A43BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00A43C13

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 60f38db7caac4147753091048a91bb77c2c7ba5c6f165e464500156b54bb825d
Instruction ID: 1261e0409fc0f5e7b5a3e7b2b4940da2c8294d27e3ed73a7e50b1db9d4f93af2
Opcode Fuzzy Hash: 60f38db7caac4147753091048a91bb77c2c7ba5c6f165e464500156b54bb825d
Instruction Fuzzy Hash: 5A615A79A00248AFDB10DFA8CC81EEE77B8EB49710F104199FA15E72A1D774AE46DF50

Function 00A1B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A1B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00A1A1E1,?,00000001), ref: 00A1B165
GetWindowThreadProcessId.USER32(00000000), ref: 00A1B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A1A1E1,?,00000001), ref: 00A1B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A1B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00A1A1E1,?,00000001), ref: 00A1B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A1A1E1,?,00000001), ref: 00A1B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00A1A1E1,?,00000001), ref: 00A1B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00A1A1E1,?,00000001), ref: 00A1B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00A1A1E1,?,00000001), ref: 00A1B21D

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: eb6a91d2a06eb29cb4448b9d8c69e283bd3847332665564abfdce123e9eb476c
Instruction ID: 0a3918d04093787a8151a0b43432471bfc4d6d0c437c3620decae577abceea1a
Opcode Fuzzy Hash: eb6a91d2a06eb29cb4448b9d8c69e283bd3847332665564abfdce123e9eb476c
Instruction Fuzzy Hash: 2231BF7A911204BFDB10DFA4DC58FEDBBB9BB51721F218104FA06D61A0D7B49A868F70

Function 009E2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009E2C94

Part of subcall function 009E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009ED7D1,00000000,00000000,00000000,00000000,?,009ED7F8,00000000,00000007,00000000,?,009EDBF5,00000000), ref: 009E29DE
Part of subcall function 009E29C8: GetLastError.KERNEL32(00000000,?,009ED7D1,00000000,00000000,00000000,00000000,?,009ED7F8,00000000,00000007,00000000,?,009EDBF5,00000000,00000000), ref: 009E29F0

_free.LIBCMT ref: 009E2CA0
_free.LIBCMT ref: 009E2CAB
_free.LIBCMT ref: 009E2CB6
_free.LIBCMT ref: 009E2CC1
_free.LIBCMT ref: 009E2CCC
_free.LIBCMT ref: 009E2CD7
_free.LIBCMT ref: 009E2CE2
_free.LIBCMT ref: 009E2CED
_free.LIBCMT ref: 009E2CFB

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9cba4a585d3ae1f473ab69c816c487306073400c001f31d45e4e7e320ff071b8
Instruction ID: d5815544df6457dadf7165ff59abe69f791bbc8d0cc9870c368ad7f77c674345
Opcode Fuzzy Hash: 9cba4a585d3ae1f473ab69c816c487306073400c001f31d45e4e7e320ff071b8
Instruction Fuzzy Hash: 5C11D47610014CAFCB03EF56DA82EDD3BA9FF45350F4254A0FA489F222DA35EE509B90

Function 00A27DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A27FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00A27FC1
GetFileAttributesW.KERNEL32(?), ref: 00A27FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00A28005
SetCurrentDirectoryW.KERNEL32(?), ref: 00A28017
SetCurrentDirectoryW.KERNEL32(?), ref: 00A28060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A280B0

Strings

*.*, xrefs: 00A28066

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 31c4fbd3d15ed00c92be77b444686df00126aa20fe43728e0ffbafae56856454
Instruction ID: de2a7c76290b29b6a76a3f9a5cddcf972f570df088b94d8f9bf0f7872efaa520
Opcode Fuzzy Hash: 31c4fbd3d15ed00c92be77b444686df00126aa20fe43728e0ffbafae56856454
Instruction Fuzzy Hash: 9681D3715082119BCB20EF58D840AAEB3E8BF89320F554C7EF885D7250EB75DE45CB62

Function 009B5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 009B5C7A

Part of subcall function 009B5D0A: GetClientRect.USER32(?,?), ref: 009B5D30
Part of subcall function 009B5D0A: GetWindowRect.USER32(?,?), ref: 009B5D71
Part of subcall function 009B5D0A: ScreenToClient.USER32(?,?), ref: 009B5D99

GetDC.USER32 ref: 009F46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 009F4708
SelectObject.GDI32(00000000,00000000), ref: 009F4716
SelectObject.GDI32(00000000,00000000), ref: 009F472B
ReleaseDC.USER32(?,00000000), ref: 009F4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009F47C4

Strings

U, xrefs: 009F4693

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 2554daac96fa3ddaf217ddeaddb7a885949c17bf4763d6c8dc2fda98e6dc8f4e
Instruction ID: 30000d9274f09349a74bb560704c3f32a5cf64ac2ae5906ac3f65a84c50c92ad
Opcode Fuzzy Hash: 2554daac96fa3ddaf217ddeaddb7a885949c17bf4763d6c8dc2fda98e6dc8f4e
Instruction Fuzzy Hash: 4C71D034400209DFCF21DF64CA85AFB7BBAFF8A364F144269EE559A266C3358842DF50

Function 00A2359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00A235E4

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

LoadStringW.USER32(00A82390,?,00000FFF,?), ref: 00A2360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00A23724
^ ERROR, xrefs: 00A236C9
Line %d (File "%s"):, xrefs: 00A2366B
"%s" (%d) : ==> %s:, xrefs: 00A23742
Error: , xrefs: 00A236EF

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 432692d6424d7e214dd4a55fa5776199add6af33f3392e8c7794386bdce88787
Instruction ID: 7a5be59bace9f2e1bee91b2dbaf252b6f160d9bf3ce9edab8deda2d1943dc22b
Opcode Fuzzy Hash: 432692d6424d7e214dd4a55fa5776199add6af33f3392e8c7794386bdce88787
Instruction Fuzzy Hash: 7C515E72800219BADF14EBE0DE92FEEBB78EF45350F548125F109721A1DB351A99DFA0

Function 00A2C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A2C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A2C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A2C2CA
GetLastError.KERNEL32 ref: 00A2C322
SetEvent.KERNEL32(?), ref: 00A2C336
InternetCloseHandle.WININET(00000000), ref: 00A2C341

Strings

, xrefs: 00A2C2BB

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: c5289c8c4119e44feece5b31f284697ce0d5a035172b758b6f1ac48c5b54e421
Instruction ID: c69131c5d3cd7f0b7e75e3024d1176fd0720ba55f178077ef89b173f400de48a
Opcode Fuzzy Hash: c5289c8c4119e44feece5b31f284697ce0d5a035172b758b6f1ac48c5b54e421
Instruction Fuzzy Hash: 2B31B175500714AFD721DFA8AC88AAFBBFCEB49760B10892DF44AD7200DB71DD058B60

Function 00A1989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,009F3AAF,?,?,Bad directive syntax error,00A4CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00A198BC
LoadStringW.USER32(00000000,?,009F3AAF,?), ref: 00A198C3

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00A19987

Strings

Line %d:, xrefs: 00A19912
., xrefs: 00A1996D
Error: , xrefs: 00A19955
%s (%d) : ==> %s.: %s %s, xrefs: 00A198F1
Line %d (File "%s"):, xrefs: 00A1992D

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b37bf5e33e5e25e0accbc74deda2f30a3dc79fb5084282e43b879879dc884f95
Instruction ID: f43d56e9d855ebc70d3bd712a5d61d4e326f96cf76d2f7be01390601a8f5065b
Opcode Fuzzy Hash: b37bf5e33e5e25e0accbc74deda2f30a3dc79fb5084282e43b879879dc884f95
Instruction Fuzzy Hash: 99217E3180021ABBCF15EF90CD16FEE7B79BF58310F448469F519660A2EB319A58DB51

Function 00A1209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00A120AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00A120C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A1214D

Strings

details, xrefs: 00A120FB
largeicons, xrefs: 00A120E1
list, xrefs: 00A1212F
SHELLDLL_DefView, xrefs: 00A120CC
smallicons, xrefs: 00A12115

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: bb673a1c887a6749c15fe879a50ee3e0da13c53b0b6edc24cf7a5d6d1f2269d0
Instruction ID: a11c9204ae85753e0a3a828b5af5219825f630d874d02b820ddc7dd554780036
Opcode Fuzzy Hash: bb673a1c887a6749c15fe879a50ee3e0da13c53b0b6edc24cf7a5d6d1f2269d0
Instruction Fuzzy Hash: EB110A7AAC4706BAF605A330DC06FFA779CDB45324B20D216FB08A91D1FBA1D8925714

Function 009E8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5ef6f49f995b5033c30f11062a9896885e1656fe74164420fb132582db2f8a
Instruction ID: c5e9841cf005101ea7633b55fbf65af1a74cd058a136f51f582b7e91217f8600
Opcode Fuzzy Hash: 8b5ef6f49f995b5033c30f11062a9896885e1656fe74164420fb132582db2f8a
Instruction Fuzzy Hash: 67C1F674904289AFDF12EFEAC841BAEBBB4BF49310F444599F519AB392C7349D41CB60

Function 009ECE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 009ECEB7
_free.LIBCMT ref: 009ECF22
_free.LIBCMT ref: 009ECF48
_free.LIBCMT ref: 009ECF71
_free.LIBCMT ref: 009ECFA9
_free.LIBCMT ref: 009ECFDA
_free.LIBCMT ref: 009ED01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 009ED09C
_free.LIBCMT ref: 009ED0B5

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: bc8bcd63e515a79c9ddd8d027296e5f4026206d132d33d639d430aecdbf6608e
Instruction ID: cc60ffc690b89915200f46a8d389e3815857f3e1cd3ebf3e17fc71abfb357f9f
Opcode Fuzzy Hash: bc8bcd63e515a79c9ddd8d027296e5f4026206d132d33d639d430aecdbf6608e
Instruction Fuzzy Hash: 29616CB29043C4AFDB27AFB69C41B6E7B9DEF45320F04496DF98097243D6359D028750

Function 00A450D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00A45186
ShowWindow.USER32(?,00000000), ref: 00A451C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00A451CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00A451D1

Part of subcall function 00A46FBA: DeleteObject.GDI32(00000000), ref: 00A46FE6

GetWindowLongW.USER32(?,000000F0), ref: 00A4520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A4521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A4524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00A45287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00A45296

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 238c04dbe13ba38575f33e44e54c206f0d15bed29f574841bcae6fc4849c3a83
Instruction ID: 6eca38a94597bb21daeac93b74486144aa6dacf9aee15d7bcb2ab5332875a647
Opcode Fuzzy Hash: 238c04dbe13ba38575f33e44e54c206f0d15bed29f574841bcae6fc4849c3a83
Instruction Fuzzy Hash: C4519338E41A08BFEF20AF78CC49BD97B75FB85321F148112F615962E2C7B5A981DB41

Function 009C8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00A06890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00A068A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00A068B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00A068D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A068F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,009C8874,00000000,00000000,00000000,000000FF,00000000), ref: 00A06901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A0691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,009C8874,00000000,00000000,00000000,000000FF,00000000), ref: 00A0692D

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 0d09aed15f5a566558fa748cf6f86cdd78031db210667de7b1bc61cc3532905d
Instruction ID: 4c453f6d11455eb14ba517a1fdbc28358277c517c2187b165c110d9e35084932
Opcode Fuzzy Hash: 0d09aed15f5a566558fa748cf6f86cdd78031db210667de7b1bc61cc3532905d
Instruction Fuzzy Hash: EA519774A00209EFDB20CF64DC95FAA7BB5EB88760F104918F946972E0DB75ED91CB50

Function 00A2C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A2C182
GetLastError.KERNEL32 ref: 00A2C195
SetEvent.KERNEL32(?), ref: 00A2C1A9

Part of subcall function 00A2C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A2C272
Part of subcall function 00A2C253: GetLastError.KERNEL32 ref: 00A2C322
Part of subcall function 00A2C253: SetEvent.KERNEL32(?), ref: 00A2C336
Part of subcall function 00A2C253: InternetCloseHandle.WININET(00000000), ref: 00A2C341

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: ab161b4f6f849221edad46f17d74ee5b2ea499175283939ba555cd33da1e9541
Instruction ID: 5a1f2bae2d4e5985372fb95ec16f28aacd98d85fa7f7d229a54ee6374c9b56da
Opcode Fuzzy Hash: ab161b4f6f849221edad46f17d74ee5b2ea499175283939ba555cd33da1e9541
Instruction Fuzzy Hash: 5431A375101711EFDB21AFE9ED04AAABBF8FF55320B00452DF95A83610DB32E811DB60

Function 00A125A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A13A57
Part of subcall function 00A13A3D: GetCurrentThreadId.KERNEL32 ref: 00A13A5E
Part of subcall function 00A13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A125B3), ref: 00A13A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00A125BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00A125DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00A125DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A125E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00A12601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00A12605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A1260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00A12623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00A12627

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: adf9c2a445c5ae8ed7fe7b02fed46884402b9b5a0fffbb6b52c25e49330b8c4d
Instruction ID: e438007b961af1516c8089584ddb87721dc64ac47d773189574c41481156ff01
Opcode Fuzzy Hash: adf9c2a445c5ae8ed7fe7b02fed46884402b9b5a0fffbb6b52c25e49330b8c4d
Instruction Fuzzy Hash: C001D835391220BBFB10A7A89C8AF997F59DF8EB61F100011F318AE0D1C9E354458AA9

Function 00A11803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00A11449,?,?,00000000), ref: 00A1180C
HeapAlloc.KERNEL32(00000000,?,00A11449,?,?,00000000), ref: 00A11813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A11449,?,?,00000000), ref: 00A11828
GetCurrentProcess.KERNEL32(?,00000000,?,00A11449,?,?,00000000), ref: 00A11830
DuplicateHandle.KERNEL32(00000000,?,00A11449,?,?,00000000), ref: 00A11833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A11449,?,?,00000000), ref: 00A11843
GetCurrentProcess.KERNEL32(00A11449,00000000,?,00A11449,?,?,00000000), ref: 00A1184B
DuplicateHandle.KERNEL32(00000000,?,00A11449,?,?,00000000), ref: 00A1184E
CreateThread.KERNEL32(00000000,00000000,00A11874,00000000,00000000,00000000), ref: 00A11868

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ccfd001d34181bda84b9eec05a3c9e879b2bbdc43e51dbf0701cbd1d8ce1b981
Instruction ID: 1cfe8cb0c997a4bd7f31d9b7395b459075dc9a82b2b7810bacb0e44fdf2edf51
Opcode Fuzzy Hash: ccfd001d34181bda84b9eec05a3c9e879b2bbdc43e51dbf0701cbd1d8ce1b981
Instruction Fuzzy Hash: 3801BF79241304BFE750EFA9DC4DF577BACEB8AB11F004511FA05DB191C6719801CB20

Function 00A3A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00A1D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00A1D501
Part of subcall function 00A1D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00A1D50F
Part of subcall function 00A1D4DC: CloseHandle.KERNELBASE(00000000), ref: 00A1D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A3A16D
GetLastError.KERNEL32 ref: 00A3A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A3A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00A3A268
GetLastError.KERNEL32(00000000), ref: 00A3A273
CloseHandle.KERNEL32(00000000), ref: 00A3A2C4

Strings

SeDebugPrivilege, xrefs: 00A3A18F

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 35985406c3b448b6a05d4e04a703d1ff026594a4a351dc7941261627d1b84471
Instruction ID: 87e60ddf25f3c26b55f2b80222e94b9636172d24e769353fb60b09851a1188cc
Opcode Fuzzy Hash: 35985406c3b448b6a05d4e04a703d1ff026594a4a351dc7941261627d1b84471
Instruction Fuzzy Hash: 6061A0742042519FD720DF58C494F6ABBE1AF94318F18858CF4AA8B7A3C776EC45CB92

Function 00A43886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A43925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00A4393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A43954
_wcslen.LIBCMT ref: 00A43999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00A439C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A439F4

Strings

SysListView32, xrefs: 00A438F7

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: e7505654489990c4719d098f90da1acc562ef7e2faef01aba5e25994d85a1d2f
Instruction ID: 68b75c5ed8f262251b5901450e46e3fae32ef53df89c48dc047e71dcd1ede314
Opcode Fuzzy Hash: e7505654489990c4719d098f90da1acc562ef7e2faef01aba5e25994d85a1d2f
Instruction Fuzzy Hash: B4419376A00219ABEF21DFA4CC45BEE7BA9FF88350F104526F958E7281D7759980CB90

Function 00A1BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A1BCFD
IsMenu.USER32(00000000), ref: 00A1BD1D
CreatePopupMenu.USER32 ref: 00A1BD53
GetMenuItemCount.USER32(013F7778), ref: 00A1BDA4
InsertMenuItemW.USER32(013F7778,?,00000001,00000030), ref: 00A1BDCC

Strings

2, xrefs: 00A1BD37
0, xrefs: 00A1BCA8

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 3ca2b4c17fd337ec09b7ef62fc0c5e35b0b0fedb1409351bd0b63795983b1c39
Instruction ID: 1b3a5422f6b80679961b74da0d4e4a61501d58fbc93b7c5932688091bc878105
Opcode Fuzzy Hash: 3ca2b4c17fd337ec09b7ef62fc0c5e35b0b0fedb1409351bd0b63795983b1c39
Instruction Fuzzy Hash: E151DF70A10205DBDF18CFA8E984BEEBBF4BF49324F148119E401DB290D7709981CB72

Function 00A1C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00A1C913

Strings

question, xrefs: 00A1C8CC
stop, xrefs: 00A1C8E4
blank, xrefs: 00A1C895
warning, xrefs: 00A1C8FC
info, xrefs: 00A1C8B4

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 3f9106a0fb6c6d1b1403f887a87deba1bcd0727211fd8897ae0007678e147f48
Instruction ID: 22547908abaa0b96734d40bc04823017c5a25000d63ae8ab4dc52b253fb0da1d
Opcode Fuzzy Hash: 3f9106a0fb6c6d1b1403f887a87deba1bcd0727211fd8897ae0007678e147f48
Instruction Fuzzy Hash: B5113D366C9706BBE7049B649CC3EEE27ACDF15374B10802BF504AA382D7705D805268

Function 00A1DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A1DE42
gethostname.WSOCK32(?,00000100), ref: 00A1DE5C
gethostbyname.WSOCK32(?), ref: 00A1DE69
inet_ntoa.WSOCK32(?), ref: 00A1DEAB
_strcat.LIBCMT ref: 00A1DEB9
WSACleanup.WSOCK32 ref: 00A1DEDE

Strings

0.0.0.0, xrefs: 00A1DE87

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 55933f2a4c40341828567917ad296ff7dc72cce87517efd02c89004fa841e936
Instruction ID: 6b9b43d17baf2831f7947881760c43a19b2e98787f25e4eb6c20809904d0ee61
Opcode Fuzzy Hash: 55933f2a4c40341828567917ad296ff7dc72cce87517efd02c89004fa841e936
Instruction Fuzzy Hash: 45110635904114ABCB20AB709C4AFEE77BCDF91721F00416AF449AA1D1EF718AC18A61

Function 00A49F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009C9BB2

GetSystemMetrics.USER32(0000000F), ref: 00A49FC7
GetSystemMetrics.USER32(0000000F), ref: 00A49FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00A4A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00A4A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00A4A263
ShowWindow.USER32(00000003,00000000), ref: 00A4A282
InvalidateRect.USER32(?,00000000,00000001), ref: 00A4A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00A4A2CA

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: e575106984ae662af3aeb24c3b73dc97a6a26beb8e28a6a9d5cdebecb387ce2e
Instruction ID: d6fc013a5dd9dfda7a4db695803d71bb2579c383f3d264f6de6aa32b6cde84af
Opcode Fuzzy Hash: e575106984ae662af3aeb24c3b73dc97a6a26beb8e28a6a9d5cdebecb387ce2e
Instruction Fuzzy Hash: B3B1EC39640215EFCF14CF68C9847EE3BB2FF98301F088169EC499B295D771AA40DB51

Function 00A1ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00A1ED2A
_wcslen.LIBCMT ref: 00A1ED3B
_wcslen.LIBCMT ref: 00A1ED79
_wcslen.LIBCMT ref: 00A1EDAF
_wcslen.LIBCMT ref: 00A1EDDF
_wcslen.LIBCMT ref: 00A1EDEF
_wcslen.LIBCMT ref: 00A1EE2B
_wcslen.LIBCMT ref: 00A1EE5A

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 0a94f7ee194ac2b4214cc1be4350ae9da44bd3cc1fd18774f3a05ac34464068d
Instruction ID: 19014aca43c720b10d64f7ab83d420ea0f6417855a2eaa83147a492684004fd3
Opcode Fuzzy Hash: 0a94f7ee194ac2b4214cc1be4350ae9da44bd3cc1fd18774f3a05ac34464068d
Instruction Fuzzy Hash: B441A465C5011876CB11EBF58C8AACFB7A8AF85750F508463FA24E3261FB34E245C7E5

Function 009CF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00A0682C,00000004,00000000,00000000), ref: 009CF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00A0682C,00000004,00000000,00000000), ref: 00A0F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00A0682C,00000004,00000000,00000000), ref: 00A0F454

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 518dbf276a4f693aebccc31a4690eb25f66c971d087ad0eb939df56935c454e3
Instruction ID: ad1711fabfe39c396765cceb9c0d8b28a70311b1d09f48be2b89590a6b80cd76
Opcode Fuzzy Hash: 518dbf276a4f693aebccc31a4690eb25f66c971d087ad0eb939df56935c454e3
Instruction Fuzzy Hash: 4D414034A14740BFCF78CB38D8A8F2A7B976B87320F14543CE487669A0D636A881C713

Function 00A42D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A42D1B
GetDC.USER32(00000000), ref: 00A42D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A42D2E
ReleaseDC.USER32(00000000,00000000), ref: 00A42D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A42D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A42D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A45A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00A42DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A42DE1

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: dd2ccee8305626ab92e3c43796863d43ca2e877178c7c0c9a3e8fa05682a6a26
Instruction ID: 2dd0811ff56ef1bb3d48bc70d48833f64f1b05c075d216d36f067f983f212690
Opcode Fuzzy Hash: dd2ccee8305626ab92e3c43796863d43ca2e877178c7c0c9a3e8fa05682a6a26
Instruction Fuzzy Hash: E831A27A102614BFEB518F50CC49FEB3FADEF8A721F044055FE089A191C6759C41C7A0

Function 00A15622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00A15637
_memcmp.LIBVCRUNTIME ref: 00A15659
_memcmp.LIBVCRUNTIME ref: 00A15671
_memcmp.LIBVCRUNTIME ref: 00A15684
_memcmp.LIBVCRUNTIME ref: 00A1569E
_memcmp.LIBVCRUNTIME ref: 00A156B1
_memcmp.LIBVCRUNTIME ref: 00A156C9
_memcmp.LIBVCRUNTIME ref: 00A156E4

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 226ab357268c6790a64bcf1e11d8765c8cb1da7324e1a1fe04ba4e763e906572
Instruction ID: 9b5af1a5d3944157237aa69880952ab551da13fc373a1bc4951f886b107f9612
Opcode Fuzzy Hash: 226ab357268c6790a64bcf1e11d8765c8cb1da7324e1a1fe04ba4e763e906572
Instruction Fuzzy Hash: B921C676E80A09FFD2145A319E82FFA739CBFE1384F484421FD149A682F760ED5085E5

Function 00A34FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00A35007
NULL Pointer assignment, xrefs: 00A3502E, 00A35383

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 9bac15264bf6c73d81325df2d0aa531143462e08112c6d53565a3f9fc0ce707d
Instruction ID: b287ee2ff0bfe99267bafa06f03cf1a6b241ea8aad040f2fb195f9a449e6b351
Opcode Fuzzy Hash: 9bac15264bf6c73d81325df2d0aa531143462e08112c6d53565a3f9fc0ce707d
Instruction Fuzzy Hash: 3AD1CE75E0060AAFDF14CFA8C890BAEB7B5BF48344F148569F915AB280E771DD41CBA0

Function 009F1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 009F15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 009F1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009F16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 009F16FB

Part of subcall function 009E3820: RtlAllocateHeap.NTDLL(00000000,?,00A81444,?,009CFDF5,?,?,009BA976,00000010,00A81440,009B13FC,?,009B13C6,?,009B1129), ref: 009E3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009F1777
__freea.LIBCMT ref: 009F17A2
__freea.LIBCMT ref: 009F17AE

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 5c12b00c283fae92213dae330b96b7d69d11f51e0f8ec75343f789ae758e3838
Instruction ID: 9f48746d5b34f40a6eaea2142d12f7dc1a56929efc4ba92c56c13fff676e5353
Opcode Fuzzy Hash: 5c12b00c283fae92213dae330b96b7d69d11f51e0f8ec75343f789ae758e3838
Instruction Fuzzy Hash: 26919172E0021EDADB219EB5C881AFEBBB99F89310F184659FA05E7151DB35DD40CBE0

Function 00A34523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A34648
VariantInit.OLEAUT32(?), ref: 00A34749
VariantClear.OLEAUT32(?), ref: 00A34753
VariantClear.OLEAUT32(?), ref: 00A347B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00A3472C
Null Object assignment in FOR..IN loop, xrefs: 00A345D8, 00A34706, 00A347BE

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: a80564481406820d0b13ad34b22e740f0a99972b5fe093325c39fd6cca90e62c
Instruction ID: 574303a5947c3653c4da3347f02592211488602cb999c78934fc3cc8c456316a
Opcode Fuzzy Hash: a80564481406820d0b13ad34b22e740f0a99972b5fe093325c39fd6cca90e62c
Instruction Fuzzy Hash: 33918071A00219AFDF20CFA5DC45FAEBBB8EF8A714F108559F505AB290D770A941CFA0

Function 00A21187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00A2125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00A21284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00A212A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A212D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A2135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A213C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A21430

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 2a29044501ab1cfba5bd5d060258d6336240df467aa71ffc0cd07e0a1a0fa5ad
Instruction ID: 1a86fec9a06d5ec47e90a45640b298985547acbe7f39fc6c975fd341d422d03f
Opcode Fuzzy Hash: 2a29044501ab1cfba5bd5d060258d6336240df467aa71ffc0cd07e0a1a0fa5ad
Instruction Fuzzy Hash: 4191BF75A002289FDB00DFACE884BBE77B5FF55324F104039E955EB291D774A941CB90

Function 009C948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e476cf7ad106e7c134969ba8f6b360927afa4803596115fc6390ff446853c209
Instruction ID: bf68ba98179b962166e9b2c77a1ac76e4aeafd56d84425651700af4612640f9e
Opcode Fuzzy Hash: e476cf7ad106e7c134969ba8f6b360927afa4803596115fc6390ff446853c209
Instruction Fuzzy Hash: 7A913975D00219EFCB10CFA9C888EEEBBB8FF89320F144449E915B7291D374A942CB61

Function 00A33947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A3396B
CharUpperBuffW.USER32(?,?), ref: 00A33A7A
_wcslen.LIBCMT ref: 00A33A8A
VariantClear.OLEAUT32(?), ref: 00A33C1F

Part of subcall function 00A20CDF: VariantInit.OLEAUT32(00000000), ref: 00A20D1F
Part of subcall function 00A20CDF: VariantCopy.OLEAUT32(?,?), ref: 00A20D28
Part of subcall function 00A20CDF: VariantClear.OLEAUT32(?), ref: 00A20D34

Strings

Incorrect Parameter format, xrefs: 00A339A6, 00A33BA1
AUTOIT.ERROR, xrefs: 00A33A80, 00A33A85

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: a5764a90ff327cad012c37922cfc946df14c3b327f6cb256364bf4c151b6b98e
Instruction ID: 2e508b258656922057a41f14d9c08cb5cdb0674985cb0605714e34c77e73dbb6
Opcode Fuzzy Hash: a5764a90ff327cad012c37922cfc946df14c3b327f6cb256364bf4c151b6b98e
Instruction Fuzzy Hash: 8E915775A083019FCB00DF68C591A6AB7E4FF89314F14892DF88A9B351DB31EE45CB92

Function 00A34BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00A1000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A0FF41,80070057,?,?,?,00A1035E), ref: 00A1002B
Part of subcall function 00A1000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A0FF41,80070057,?,?), ref: 00A10046
Part of subcall function 00A1000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A0FF41,80070057,?,?), ref: 00A10054
Part of subcall function 00A1000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A0FF41,80070057,?), ref: 00A10064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00A34C51
_wcslen.LIBCMT ref: 00A34D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00A34DCF
CoTaskMemFree.OLE32(?), ref: 00A34DDA

Strings

NULL Pointer assignment, xrefs: 00A34E23, 00A34E52

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 63ba1b5e0f52f520dc9c9bbb9efdf16b9db2539969cd79b191c05aafce372ca6
Instruction ID: 05b3d31edc3437cc5a8adcf5315febf30b13a68c365aae61b8f188419bf82630
Opcode Fuzzy Hash: 63ba1b5e0f52f520dc9c9bbb9efdf16b9db2539969cd79b191c05aafce372ca6
Instruction Fuzzy Hash: EE911671D00219AFDF10DFA4C891AEEB7B8FF48310F20816AF915A7251EB34AA45CF60

Function 00A420FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00A42183
GetMenuItemCount.USER32(00000000), ref: 00A421B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A421DD
_wcslen.LIBCMT ref: 00A42213
GetMenuItemID.USER32(?,?), ref: 00A4224D
GetSubMenu.USER32(?,?), ref: 00A4225B

Part of subcall function 00A13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A13A57
Part of subcall function 00A13A3D: GetCurrentThreadId.KERNEL32 ref: 00A13A5E
Part of subcall function 00A13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A125B3), ref: 00A13A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A422E3

Part of subcall function 00A1E97B: Sleep.KERNEL32 ref: 00A1E9F3

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 3a446081ab78e18498e0e1215d9728bc6d03dd2b1064b0bcb92b19cd9a3e784c
Instruction ID: 88a6aeb0e9756237552de6a8de8410a7bca8ec21def85c3e78cb702ae40c15f2
Opcode Fuzzy Hash: 3a446081ab78e18498e0e1215d9728bc6d03dd2b1064b0bcb92b19cd9a3e784c
Instruction Fuzzy Hash: 1B717E79A00205AFCB10DFA8C945BAEB7F1AFC8320F548499F916EB341D775AD418B90

Function 00A47E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(013F79F8), ref: 00A47F37
IsWindowEnabled.USER32(013F79F8), ref: 00A47F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00A4801E
SendMessageW.USER32(013F79F8,000000B0,?,?), ref: 00A48051
IsDlgButtonChecked.USER32(?,?), ref: 00A48089
GetWindowLongW.USER32(013F79F8,000000EC), ref: 00A480AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00A480C3

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: cab1615d713d6435a83c30d4c62436803f1f92b5f466c556dd0b3800681cbcb3
Instruction ID: 0c555d1818d549c75a90d3e441efe15f9d97f9757cf0d665cc45c20db1ce85f1
Opcode Fuzzy Hash: cab1615d713d6435a83c30d4c62436803f1f92b5f466c556dd0b3800681cbcb3
Instruction Fuzzy Hash: FF71913C609244AFEB21DF64D884FBEBBB9EF89310F14445AF94597261CB36AC49DB10

Function 00A1AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00A1AEF9
GetKeyboardState.USER32(?), ref: 00A1AF0E
SetKeyboardState.USER32(?), ref: 00A1AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00A1AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00A1AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00A1AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00A1B020

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8cd84d26daa2706e3da75c1e9a52fee446c5ca2a52453aa777f44bf921b28855
Instruction ID: 94781f747aa27f35959ce4beb9cb7530da96cc4b8714cba779a2953c56603c58
Opcode Fuzzy Hash: 8cd84d26daa2706e3da75c1e9a52fee446c5ca2a52453aa777f44bf921b28855
Instruction Fuzzy Hash: 2B51DEA0A157D53DFB3683348C45BFABEA95B06304F088589F1E9858C2C3E9ACC9D761

Function 00A1ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00A1AD19
GetKeyboardState.USER32(?), ref: 00A1AD2E
SetKeyboardState.USER32(?), ref: 00A1AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00A1ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00A1ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00A1AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00A1AE38

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 038594f307719b6ab3f8c093c286ef1b102ebcd77f7b3db598d1ae6c0ddc6069
Instruction ID: c631ea86503c90f18553a589d7a678a121174d5bd456d02f113b0fecb116cf6c
Opcode Fuzzy Hash: 038594f307719b6ab3f8c093c286ef1b102ebcd77f7b3db598d1ae6c0ddc6069
Instruction Fuzzy Hash: 6E51D6A16067E53DFB3783748C55BFABEA95B56300F088488E1D9468C3D3A4ECD8D762

Function 009E542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(009F3CD6,?,?,?,?,?,?,?,?,009E5BA3,?,?,009F3CD6,?,?), ref: 009E5470
__fassign.LIBCMT ref: 009E54EB
__fassign.LIBCMT ref: 009E5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,009F3CD6,00000005,00000000,00000000), ref: 009E552C
WriteFile.KERNEL32(?,009F3CD6,00000000,009E5BA3,00000000,?,?,?,?,?,?,?,?,?,009E5BA3,?), ref: 009E554B
WriteFile.KERNEL32(?,?,00000001,009E5BA3,00000000,?,?,?,?,?,?,?,?,?,009E5BA3,?), ref: 009E5584

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6afa5024f2f61943536f7de183535f16ab38a088e38b37918d05c80b299aff6c
Instruction ID: 62d01e19e35273434d7d982a0de10a6b33960912e6c8a740a18a6b77eda9a80a
Opcode Fuzzy Hash: 6afa5024f2f61943536f7de183535f16ab38a088e38b37918d05c80b299aff6c
Instruction Fuzzy Hash: A1511370A006899FCB11CFA9DC45AEEBBF9EF49300F15411AF545E7291E730AE41CB60

Function 009D2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 009D2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 009D2D53
_ValidateLocalCookies.LIBCMT ref: 009D2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 009D2E0C
_ValidateLocalCookies.LIBCMT ref: 009D2E61

Strings

csm, xrefs: 009D2DF6

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: dfb82a745c39429695e2c7208981cd88bd20c3d2dc8498907f9a689040b78677
Instruction ID: f286e59acae26101af8d4c823e1a0f45173f71cc56a28a47125b4c493964f508
Opcode Fuzzy Hash: dfb82a745c39429695e2c7208981cd88bd20c3d2dc8498907f9a689040b78677
Instruction Fuzzy Hash: 6E418134A40209EBCF10DF68CC45A9EBBB9BF95325F14C156E814AB392D735AE05CBD1

Function 00A310B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A3307A
Part of subcall function 00A3304E: _wcslen.LIBCMT ref: 00A3309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00A31112
WSAGetLastError.WSOCK32 ref: 00A31121
WSAGetLastError.WSOCK32 ref: 00A311C9
closesocket.WSOCK32(00000000), ref: 00A311F9

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: fe63b5222c2f2e6df3eb9199fd7296bd0734f90c4b708858e6939b8bd5df807e
Instruction ID: b6a1b92320079ee219c173bc3e134606bea21187c1aa5440b4ca9982258ad603
Opcode Fuzzy Hash: fe63b5222c2f2e6df3eb9199fd7296bd0734f90c4b708858e6939b8bd5df807e
Instruction Fuzzy Hash: 7F41F235600204AFDB10DF54C885BEABBF9EF85324F148259FD099B291D771AD82CBE1

Function 00A1CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A1CF22,?), ref: 00A1DDFD

Part of subcall function 00A1DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A1CF22,?), ref: 00A1DE16

lstrcmpiW.KERNEL32(?,?), ref: 00A1CF45
MoveFileW.KERNEL32(?,?), ref: 00A1CF7F
_wcslen.LIBCMT ref: 00A1D005
_wcslen.LIBCMT ref: 00A1D01B
SHFileOperationW.SHELL32(?), ref: 00A1D061

Strings

\*.*, xrefs: 00A1CFF3

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 60790afc9818d568582f47d91453be1bd13f919f59ef2d73d0651fba9a39979b
Instruction ID: f5d9db5f3f5caa2cf35ac479487bc6a0607e65ff2aec071132ad53d48e917d0c
Opcode Fuzzy Hash: 60790afc9818d568582f47d91453be1bd13f919f59ef2d73d0651fba9a39979b
Instruction Fuzzy Hash: 7E41A7718452189FDF12EFA4CA81BDDB7B9AF48790F0400E6E509EB141EB30AB89CB50

Function 00A42DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00A42E1C
GetWindowLongW.USER32(?,000000F0), ref: 00A42E4F
GetWindowLongW.USER32(?,000000F0), ref: 00A42E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00A42EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00A42EE0
GetWindowLongW.USER32(?,000000F0), ref: 00A42EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A42F0B

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 2ca4d4f83778b9e1d54a1f4bfc2226f68c2457127e3d0e2dad984e12952b2930
Instruction ID: f6f40fc3cc9333be3039571787a5d54c686e0847aeed5af0c8e66760ea3cb0db
Opcode Fuzzy Hash: 2ca4d4f83778b9e1d54a1f4bfc2226f68c2457127e3d0e2dad984e12952b2930
Instruction Fuzzy Hash: D1313538645240AFEB20CF98DC86F653BE4FB8A720F950164F9148F2B2CB71AC42DB01

Function 00A17726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A17769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A1778F
SysAllocString.OLEAUT32(00000000), ref: 00A17792
SysAllocString.OLEAUT32(?), ref: 00A177B0
SysFreeString.OLEAUT32(?), ref: 00A177B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00A177DE
SysAllocString.OLEAUT32(?), ref: 00A177EC

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9fe04959dd9bed5446db94265151dd21559c34d70ed10e4ace7ba40921615e45
Instruction ID: 53651bb81e4b5574f2aeabfd539b8a0da525d14a6601a926b7ad053cff613cf6
Opcode Fuzzy Hash: 9fe04959dd9bed5446db94265151dd21559c34d70ed10e4ace7ba40921615e45
Instruction Fuzzy Hash: 9C21B07A605219AFDB10EFA8CC88DFF73BCEB49364B048025FA19DB191D670DC828760

Function 00A177FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A17842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A17868
SysAllocString.OLEAUT32(00000000), ref: 00A1786B
SysAllocString.OLEAUT32 ref: 00A1788C
SysFreeString.OLEAUT32 ref: 00A17895
StringFromGUID2.OLE32(?,?,00000028), ref: 00A178AF
SysAllocString.OLEAUT32(?), ref: 00A178BD

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 462e268762b41c2f296df72d2b990c55d97b8a27587550beca830cb545515a4c
Instruction ID: 549580fb4534a080a66f15545bba9780356d69da0b34cba87dbdc9143724afa3
Opcode Fuzzy Hash: 462e268762b41c2f296df72d2b990c55d97b8a27587550beca830cb545515a4c
Instruction Fuzzy Hash: 71213C3A609204AFDB10AFE8DC8CDEA77BCEB497607108125B915CB2A1DA74DCC1CB74

Function 00A204D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00A204F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A2052E

Strings

nul, xrefs: 00A20567

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b042834446c51806f42447d6a8336c44c2fa58f0ec49f109a893cf1ce763e06a
Instruction ID: 6efb39d6092d5fdea76b6c5632b91d0d4ba6b46e9133f353365b3fd8e0d119f9
Opcode Fuzzy Hash: b042834446c51806f42447d6a8336c44c2fa58f0ec49f109a893cf1ce763e06a
Instruction Fuzzy Hash: A321A274600315ABCB209F6CEC04E9A7BF4AF45720F208A28F8A1D61E1D7B09940CF60

Function 00A205A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00A205C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A20601

Strings

nul, xrefs: 00A20639

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 843a81e4dd1eb9d67ee8ff3783ed7c248949945accddb019d04ac387a3fa9a69
Instruction ID: 720d6ec41f89a237c7c65776a2ad5b73ebc131a44ec7ae7cfdba84a640457645
Opcode Fuzzy Hash: 843a81e4dd1eb9d67ee8ff3783ed7c248949945accddb019d04ac387a3fa9a69
Instruction Fuzzy Hash: 462171795003259FDB209F6DAC44E9A77F4AF95730F204A29F8A1E72E1D7F19861CB10

Function 00A440AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009B604C
Part of subcall function 009B600E: GetStockObject.GDI32(00000011), ref: 009B6060
Part of subcall function 009B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 009B606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A44112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A4411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A4412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A44139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A44145

Strings

Msctls_Progress32, xrefs: 00A440E3

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 390b87fe4a90032888388ec0e0b8592b7e7a572dd32f35b393a1f6ed7fc92136
Instruction ID: 8b5932dd475f9460df3f774cdec92919207b2d9817c792afdb9d2b04ea79779d
Opcode Fuzzy Hash: 390b87fe4a90032888388ec0e0b8592b7e7a572dd32f35b393a1f6ed7fc92136
Instruction Fuzzy Hash: 2711B6B514011D7EEF119F64CC85EE77F5DEF48798F014111BA18A2050C7769C21DBA4

Function 009ED7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009ED7A3: _free.LIBCMT ref: 009ED7CC

_free.LIBCMT ref: 009ED82D

Part of subcall function 009E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009ED7D1,00000000,00000000,00000000,00000000,?,009ED7F8,00000000,00000007,00000000,?,009EDBF5,00000000), ref: 009E29DE
Part of subcall function 009E29C8: GetLastError.KERNEL32(00000000,?,009ED7D1,00000000,00000000,00000000,00000000,?,009ED7F8,00000000,00000007,00000000,?,009EDBF5,00000000,00000000), ref: 009E29F0

_free.LIBCMT ref: 009ED838
_free.LIBCMT ref: 009ED843
_free.LIBCMT ref: 009ED897
_free.LIBCMT ref: 009ED8A2
_free.LIBCMT ref: 009ED8AD
_free.LIBCMT ref: 009ED8B8

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 2d451fa8fd258759e8b0fa6a61b5183988e099968022947d76be6be5084bc459
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 8A1121B1542B88AAE523BFB2CC47FCB7BDC6F84700F404825B699A6493DA6ABD054650

Function 00A1DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00A1DA74
LoadStringW.USER32(00000000), ref: 00A1DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00A1DA91
LoadStringW.USER32(00000000), ref: 00A1DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A1DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00A1DAB9

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: dbb26e85160be259ee9bf61c7fe5fd0fcc3c65df22cfaad4c2c816fad7b100f1
Instruction ID: 0d31ba0bdc696a15f90a263826fb29ddbebf2fa569867fe35e70bbd1389c48d0
Opcode Fuzzy Hash: dbb26e85160be259ee9bf61c7fe5fd0fcc3c65df22cfaad4c2c816fad7b100f1
Instruction Fuzzy Hash: 720186FA5002087FE750DBE49D89EE7736CEB09351F404591B70EE2042EA749E858F74

Function 00A2096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(013F08A0,013F08A0), ref: 00A2097B
EnterCriticalSection.KERNEL32(013F0880,00000000), ref: 00A2098D
TerminateThread.KERNEL32(?,000001F6), ref: 00A2099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00A209A9
CloseHandle.KERNEL32(?), ref: 00A209B8
InterlockedExchange.KERNEL32(013F08A0,000001F6), ref: 00A209C8
LeaveCriticalSection.KERNEL32(013F0880), ref: 00A209CF

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 595762d4cdf40f1b837954f1827832c170eab1ef367814c0aece5ee271041809
Instruction ID: 18c7d59bb9034c1a5120ab6cc572b5789f96e41de42dba4c46dd719098e2e88f
Opcode Fuzzy Hash: 595762d4cdf40f1b837954f1827832c170eab1ef367814c0aece5ee271041809
Instruction Fuzzy Hash: BAF03139543912BBD791AFD4EE8CBD6BB35FF46712F401025F206508A1C7B69466CF90

Function 009B5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 009B5D30
GetWindowRect.USER32(?,?), ref: 009B5D71
ScreenToClient.USER32(?,?), ref: 009B5D99
GetClientRect.USER32(?,?), ref: 009B5ED7
GetWindowRect.USER32(?,?), ref: 009B5EF8

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 5f4509f4952af82b79bf28cabedff8c7b181c5f1e7acd9b1d26dcb6fc8f3b2be
Instruction ID: 2fb54eb04e0ce80609a1bfc57b8cc187a0e0cde6d511660c5f2cb56ff4e07715
Opcode Fuzzy Hash: 5f4509f4952af82b79bf28cabedff8c7b181c5f1e7acd9b1d26dcb6fc8f3b2be
Instruction Fuzzy Hash: 3FB16638A0064ADBDB10CFA8C5847EAB7F5BF48320F14891AE9A9D7250DB34EA51DB54

Function 009E01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 009E00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009E00D6
__allrem.LIBCMT ref: 009E00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009E010B
__allrem.LIBCMT ref: 009E0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009E0140

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: b380985ce51e25218967c0dea495dfce9124276ddffae5e3904cef02d05d2871
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: E0810771A007469BE7219F6ACC52B6B73E9EFC1724F24853AF551DA381E7B0DD408B90

Function 00A31D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A33149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00A3101C,00000000,?,?,00000000), ref: 00A33195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00A31DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00A31DE1
WSAGetLastError.WSOCK32 ref: 00A31DF2
inet_ntoa.WSOCK32(?), ref: 00A31E8C
htons.WSOCK32(?,?,?,?,?), ref: 00A31EDB
_strlen.LIBCMT ref: 00A31F35

Part of subcall function 00A139E8: _strlen.LIBCMT ref: 00A139F2

Part of subcall function 009B6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,009CCF58,?,?,?), ref: 009B6DBA
Part of subcall function 009B6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,009CCF58,?,?,?), ref: 009B6DED

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 12719b8dc640fc456cdd65e5811d6e7e6d58f67ac4a3b50d9555f845ea19bd5d
Instruction ID: be0318efb6698eb6ce3d959363ab4620303b804102371c447aa0a29356209cf8
Opcode Fuzzy Hash: 12719b8dc640fc456cdd65e5811d6e7e6d58f67ac4a3b50d9555f845ea19bd5d
Instruction Fuzzy Hash: 52A1CD31604300AFC324DF24C895F6ABBA5AFC5328F54895DF45A5B2A2DB71ED42CB92

Function 009E61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009D82D9,009D82D9,?,?,?,009E644F,00000001,00000001,8BE85006), ref: 009E6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,009E644F,00000001,00000001,8BE85006,?,?,?), ref: 009E62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009E63D8
__freea.LIBCMT ref: 009E63E5

Part of subcall function 009E3820: RtlAllocateHeap.NTDLL(00000000,?,00A81444,?,009CFDF5,?,?,009BA976,00000010,00A81440,009B13FC,?,009B13C6,?,009B1129), ref: 009E3852

__freea.LIBCMT ref: 009E63EE
__freea.LIBCMT ref: 009E6413

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 450eb53a6db6869e1afd41243cecaa979dcb758e2a15df9479d8ec4a68a4f68f
Instruction ID: 69137cd46f76eca8091b1c11da214cef156ac31877245418d95eadd166868a50
Opcode Fuzzy Hash: 450eb53a6db6869e1afd41243cecaa979dcb758e2a15df9479d8ec4a68a4f68f
Instruction Fuzzy Hash: D551F372600296ABDB278F66CC81FBF77A9EB94790F144629FD05D7180EB35DC40C660

Function 00A3BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

Part of subcall function 00A3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A3B6AE,?,?), ref: 00A3C9B5
Part of subcall function 00A3C998: _wcslen.LIBCMT ref: 00A3C9F1
Part of subcall function 00A3C998: _wcslen.LIBCMT ref: 00A3CA68
Part of subcall function 00A3C998: _wcslen.LIBCMT ref: 00A3CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A3BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A3BD25
RegCloseKey.ADVAPI32(00000000), ref: 00A3BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A3BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A3BDF3
RegCloseKey.ADVAPI32(?), ref: 00A3BDFF

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: b02105eca3881b4cc519f2a82f333ba6a93fb110c14dc57bf1e9c77d69c6ea12
Instruction ID: d6473101bcdb11a3fd362f3c9e72a255e287acf2bd3c7f3265f3d83bf5a2434d
Opcode Fuzzy Hash: b02105eca3881b4cc519f2a82f333ba6a93fb110c14dc57bf1e9c77d69c6ea12
Instruction Fuzzy Hash: D981B034218241EFC714DF24C891E6ABBE6FF84358F14855CF5594B2A2DB32ED05CBA2

Function 00A0F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00A0F7B9
SysAllocString.OLEAUT32(00000001), ref: 00A0F860
VariantCopy.OLEAUT32(00A0FA64,00000000), ref: 00A0F889
VariantClear.OLEAUT32(00A0FA64), ref: 00A0F8AD
VariantCopy.OLEAUT32(00A0FA64,00000000), ref: 00A0F8B1
VariantClear.OLEAUT32(?), ref: 00A0F8BB

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 0fd6f725e4396a6b8aade99fad3e65e5d623b717e1227a7b27ee8af804e69843
Instruction ID: 4c7f7e063bed7431d7a9da7af419749b6180e5155a839b74d830f400bc6e0aa3
Opcode Fuzzy Hash: 0fd6f725e4396a6b8aade99fad3e65e5d623b717e1227a7b27ee8af804e69843
Instruction Fuzzy Hash: 37510935600318BEDF34AB65E895B69B3A4EF85320B209467E906FF6D1D7708C40C796

Function 00A2910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 009B7620: _wcslen.LIBCMT ref: 009B7625

Part of subcall function 009B6B57: _wcslen.LIBCMT ref: 009B6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00A294E5
_wcslen.LIBCMT ref: 00A29506
_wcslen.LIBCMT ref: 00A2952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00A29585

Strings

X, xrefs: 00A29412

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 66a303c690b76f22558974ab40403691273465a7c286fe4949795d2260a4c534
Instruction ID: c4cd94caadc743536c2c7d6a32f6b3bed28100262dbdb6db06d963efc7a14933
Opcode Fuzzy Hash: 66a303c690b76f22558974ab40403691273465a7c286fe4949795d2260a4c534
Instruction Fuzzy Hash: 2DE18E316043109FD724DF28D981BAAB7E4BFC5720F14896DF8999B2A2DB31DD05CB92

Function 009C920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 009C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009C9BB2

BeginPaint.USER32(?,?,?), ref: 009C9241
GetWindowRect.USER32(?,?), ref: 009C92A5
ScreenToClient.USER32(?,?), ref: 009C92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 009C92D3
EndPaint.USER32(?,?,?,?,?), ref: 009C9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00A071EA

Part of subcall function 009C9339: BeginPath.GDI32(00000000), ref: 009C9357

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 9a6b34b7c4f317921c0e323ce41d290c9701ba60aebcc12242226c06a519dc9a
Instruction ID: 754ec1a877508ff9e174a401707e2062e4f325db968e9d9490dd498c402b0dcf
Opcode Fuzzy Hash: 9a6b34b7c4f317921c0e323ce41d290c9701ba60aebcc12242226c06a519dc9a
Instruction Fuzzy Hash: 9C41B034505300AFD711DF64DC88FAA7BA8EF8A320F04066DF9A4871F1C7319846DB62

Function 00A207EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00A2080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00A20847
EnterCriticalSection.KERNEL32(?), ref: 00A20863
LeaveCriticalSection.KERNEL32(?), ref: 00A208DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00A208F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00A20921

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: bee8ae78fef4e4801ebfa06b2499a6df6d9a56bbd66818ae6556ae32e5a58248
Instruction ID: b12b34e6fc6b3e68ba8fc53e2fe95b2b64218b1eb3c8a79c5a520e831e128caf
Opcode Fuzzy Hash: bee8ae78fef4e4801ebfa06b2499a6df6d9a56bbd66818ae6556ae32e5a58248
Instruction Fuzzy Hash: 34418B35900205ABDF04EF98DC85BAA7779FF44310F1080B9E9049A297D771DE51DBA0

Function 00A481DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00A0F3AB,00000000,?,?,00000000,?,00A0682C,00000004,00000000,00000000), ref: 00A4824C
EnableWindow.USER32(?,00000000), ref: 00A48272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00A482D1
ShowWindow.USER32(?,00000004), ref: 00A482E5
EnableWindow.USER32(?,00000001), ref: 00A4830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00A4832F

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 67c1aa6f67a5709d00342d3557fd9641ecbb9c311766f8d34bf433dd5d883874
Instruction ID: 637e9fffaf23af9854751d753e7794bc5814440074a142eba642c09fac5e7177
Opcode Fuzzy Hash: 67c1aa6f67a5709d00342d3557fd9641ecbb9c311766f8d34bf433dd5d883874
Instruction Fuzzy Hash: 4B41B63C601644AFDB11CF55E899BE87BE0FB8A714F185269E5184F272CB7AAC42CB50

Function 00A14C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00A14C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A14CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A14CEA
_wcslen.LIBCMT ref: 00A14D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00A14D10
_wcsstr.LIBVCRUNTIME ref: 00A14D1A

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 47bf82a77edf08c543cf5ac058f678be53390223f59e6bf2c0a2acbdbc318cb2
Instruction ID: 5aa327ca885f7f4605dcba851364d4f4d9b05116f8a958b0560a039c2babd033
Opcode Fuzzy Hash: 47bf82a77edf08c543cf5ac058f678be53390223f59e6bf2c0a2acbdbc318cb2
Instruction Fuzzy Hash: 32213B766052007BEB159B7DEC09FBB7BACDF89760F10803DF809CB192EA65CC4192A0

Function 00A2581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 009B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009B3A97,?,?,009B2E7F,?,?,?,00000000), ref: 009B3AC2

_wcslen.LIBCMT ref: 00A2587B
CoInitialize.OLE32(00000000), ref: 00A25995
CoCreateInstance.OLE32(00A4FCF8,00000000,00000001,00A4FB68,?), ref: 00A259AE
CoUninitialize.OLE32 ref: 00A259CC

Strings

.lnk, xrefs: 00A25876, 00A258C1, 00A25985

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: e23b90023e95b5f4fb4c3ef285601445f4d459cf15677d81243540d45e171e89
Instruction ID: 2ff21da0b55d08dbb2ec7322e6f58ad24a8a03e88225baaacbec200e611abf36
Opcode Fuzzy Hash: e23b90023e95b5f4fb4c3ef285601445f4d459cf15677d81243540d45e171e89
Instruction Fuzzy Hash: 35D17474A047109FC714DF28D584A6ABBE1FF89320F10896DF88A9B361D731EC45CB92

Function 00A1175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A10FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A10FCA
Part of subcall function 00A10FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A10FD6
Part of subcall function 00A10FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A10FE5
Part of subcall function 00A10FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A10FEC
Part of subcall function 00A10FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A11002

GetLengthSid.ADVAPI32(?,00000000,00A11335), ref: 00A117AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A117BA
HeapAlloc.KERNEL32(00000000), ref: 00A117C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00A117DA
GetProcessHeap.KERNEL32(00000000,00000000,00A11335), ref: 00A117EE
HeapFree.KERNEL32(00000000), ref: 00A117F5

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 5ca180eec16664957167f68d689048e76b188ac224a9c89f9d458bb3fa2058f8
Instruction ID: d695b89172910ea6da08b9057e55624d52008e8173d0bb1f5cd5ffe7a85b07fb
Opcode Fuzzy Hash: 5ca180eec16664957167f68d689048e76b188ac224a9c89f9d458bb3fa2058f8
Instruction Fuzzy Hash: BC11AC39502205EFDB10DFA8CC49FEE7BB9EB82365F144118F58597250D736A981CF60

Function 00A114CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00A114FF
OpenProcessToken.ADVAPI32(00000000), ref: 00A11506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00A11515
CloseHandle.KERNEL32(00000004), ref: 00A11520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A1154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00A11563

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 5577b962b42c000862889fc1be73a552d70d76a57f3bb8bafb7015d38272feb4
Instruction ID: 71027ac8c1ad04fb870d358897644952cdc2a8d90d80e3287881b3429bf9e8fc
Opcode Fuzzy Hash: 5577b962b42c000862889fc1be73a552d70d76a57f3bb8bafb7015d38272feb4
Instruction Fuzzy Hash: A1115C7A601209ABDF11CFD4DD49FDE7BA9EF89714F044014FA05A2060C3768E61DB60

Function 009D3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,009D3379,009D2FE5), ref: 009D3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 009D339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009D33B7
SetLastError.KERNEL32(00000000,?,009D3379,009D2FE5), ref: 009D3409

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7672fc8a56edc56d0e173e8cdd3f38316e7b0c638af52b852c94608be749d053
Instruction ID: 07bf26bd9c4dab9dcfee80f518ab9415a4f92da4e8acef51170ab76209c30098
Opcode Fuzzy Hash: 7672fc8a56edc56d0e173e8cdd3f38316e7b0c638af52b852c94608be749d053
Instruction Fuzzy Hash: 2E012432289711BEE6252BF47D866266A98EB4577B360C22FF414843F0FF128D03918A

Function 009E2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,009E5686,009F3CD6,?,00000000,?,009E5B6A,?,?,?,?,?,009DE6D1,?,00A78A48), ref: 009E2D78
_free.LIBCMT ref: 009E2DAB
_free.LIBCMT ref: 009E2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,009DE6D1,?,00A78A48,00000010,009B4F4A,?,?,00000000,009F3CD6), ref: 009E2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,009DE6D1,?,00A78A48,00000010,009B4F4A,?,?,00000000,009F3CD6), ref: 009E2DEC
_abort.LIBCMT ref: 009E2DF2

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: c5ec48bbe309b65eb3f2a3ec44f7bf865e894eebd34bc37f9e88dbf5d9602ccf
Instruction ID: 69ea7e9a01834320021aad4d4bd6dae719fdecb6dc03308c72d527db03c24069
Opcode Fuzzy Hash: c5ec48bbe309b65eb3f2a3ec44f7bf865e894eebd34bc37f9e88dbf5d9602ccf
Instruction Fuzzy Hash: 23F0283A90568027C2537777BC0AF1A275DAFC27B0F358518FA28D72D2EE249C824120

Function 00A48A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 009C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009C9693
Part of subcall function 009C9639: SelectObject.GDI32(?,00000000), ref: 009C96A2
Part of subcall function 009C9639: BeginPath.GDI32(?), ref: 009C96B9
Part of subcall function 009C9639: SelectObject.GDI32(?,00000000), ref: 009C96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00A48A4E
LineTo.GDI32(?,00000003,00000000), ref: 00A48A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00A48A70
LineTo.GDI32(?,00000000,00000003), ref: 00A48A80
EndPath.GDI32(?), ref: 00A48A90
StrokePath.GDI32(?), ref: 00A48AA0

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 2027ed3bf29d36d694bb5c47c45a5f24fccde2b0f6e5926e6adafe3fbf5952da
Instruction ID: 287566f87e755740d8bcb9555d83570b8ead3b7c7d4977f958824bb198886657
Opcode Fuzzy Hash: 2027ed3bf29d36d694bb5c47c45a5f24fccde2b0f6e5926e6adafe3fbf5952da
Instruction Fuzzy Hash: 2D110C7A00110CFFDB11DFD4EC48E9A7F6CEB49360F048021FA19951A1C7729D56DB60

Function 00A151FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A15218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00A15229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A15230
ReleaseDC.USER32(00000000,00000000), ref: 00A15238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00A1524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00A15261

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 78e819211641442387f197dd2325700ed04d81086270b2e85e04d5889eb6f8a3
Instruction ID: 8bd9f369d506854ff77b0d46312d8f91f0f6699a2d531b89849d751c2c148b0e
Opcode Fuzzy Hash: 78e819211641442387f197dd2325700ed04d81086270b2e85e04d5889eb6f8a3
Instruction Fuzzy Hash: A7018479E01708BBEB109BF59C49A8EBF78EF85361F044065FA08A7290D6719801CB60

Function 009B1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 009B1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 009B1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 009B1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 009B1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 009B1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 009B1C22

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 4c63f1a5c6258711c186c739fbc89b195ec7a41bf34b7ed674e4a6101eed2e39
Instruction ID: 63ca1a9d187b8b08806abbff0b4194d28af8b850af334d651932be49a0b72966
Opcode Fuzzy Hash: 4c63f1a5c6258711c186c739fbc89b195ec7a41bf34b7ed674e4a6101eed2e39
Instruction Fuzzy Hash: A00167B0902B5ABDE3008F6A8C85B52FFA8FF59354F00411BA15C4BA42C7F5A864CFE5

Function 00A1EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A1EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00A1EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00A1EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A1EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A1EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A1EB75

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: eed3f846f895bcd57bf1574d02227c5cc7e87de8f044f140eb1375e1e92a4478
Instruction ID: db2ea8b3224cf66ee7eac97d96973465e58d14e554e79a6471333e064fe7de79
Opcode Fuzzy Hash: eed3f846f895bcd57bf1574d02227c5cc7e87de8f044f140eb1375e1e92a4478
Instruction Fuzzy Hash: F0F0B47E202158BBE7609B929C0DEEF7E7CEFCBB21F004158F605D1090D7A11A02C6B4

Function 00A07439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00A07452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00A07469
GetWindowDC.USER32(?), ref: 00A07475
GetPixel.GDI32(00000000,?,?), ref: 00A07484
ReleaseDC.USER32(?,00000000), ref: 00A07496
GetSysColor.USER32(00000005), ref: 00A074B0

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: dd2d05464afc2622d1a653a4fa389269db139221cea3c635ca1e9829b34f0487
Instruction ID: 21701cc19f785adfe5df85a817d8ea694161dd574b4911e5c98b42435f981e8c
Opcode Fuzzy Hash: dd2d05464afc2622d1a653a4fa389269db139221cea3c635ca1e9829b34f0487
Instruction Fuzzy Hash: 03018F39801205EFDB919FA4DC08BAE7BB5FB45321F214164F91AA20E1CB322D42AB11

Function 00A11874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A1187F
UnloadUserProfile.USERENV(?,?), ref: 00A1188B
CloseHandle.KERNEL32(?), ref: 00A11894
CloseHandle.KERNEL32(?), ref: 00A1189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00A118A5
HeapFree.KERNEL32(00000000), ref: 00A118AC

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: b1a60d6ed2cbe84a02d2a1fdf712f5aba63c277a3f85f79cb27ccfe35a827c81
Instruction ID: 88f24a93b47f67817dc896cf53e71b1cacd6eb5f5f11c099e29b1b11e0fcd487
Opcode Fuzzy Hash: b1a60d6ed2cbe84a02d2a1fdf712f5aba63c277a3f85f79cb27ccfe35a827c81
Instruction Fuzzy Hash: E0E0C93E105101BBD6419FE5ED0C905BF29FB8A7317108220F22985070CB336422DB50

Function 00A1C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B7620: _wcslen.LIBCMT ref: 009B7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A1C6EE
_wcslen.LIBCMT ref: 00A1C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A1C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00A1C7CA

Strings

0, xrefs: 00A1C6AF

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 6527a51a0b3f544a47d5e0bc8265354f1da452306f38b9de612c23ca3638aacf
Instruction ID: f07d041628b22de3d674ae2b526cdd51d8798bc3334d6ba8fcf1a4cea208e7e7
Opcode Fuzzy Hash: 6527a51a0b3f544a47d5e0bc8265354f1da452306f38b9de612c23ca3638aacf
Instruction Fuzzy Hash: 8A51CE716843509BD7149F68C885BEBB7E8AF89330F040A2DF9A5D31E1DBA0D984CB52

Function 00A3AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00A3AEA3

Part of subcall function 009B7620: _wcslen.LIBCMT ref: 009B7625

GetProcessId.KERNEL32(00000000), ref: 00A3AF38
CloseHandle.KERNEL32(00000000), ref: 00A3AF67

Strings

<, xrefs: 00A3AE6B
@, xrefs: 00A3AE72

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 33f2a19ae6614149dd05501a05ac1f8291e8f238f44ab72a0e81402ba065cc67
Instruction ID: 8a9d7e29167202ca9a7358b7995f9ee99ba718dcdfcb93e026170f0ce3f13f09
Opcode Fuzzy Hash: 33f2a19ae6614149dd05501a05ac1f8291e8f238f44ab72a0e81402ba065cc67
Instruction Fuzzy Hash: 47716875A00229DFCB14DF94C585A9EBBF0BF48310F148499F85AAB3A2C775ED41CB91

Function 00A1719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A17206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00A1723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00A1724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A172CF

Strings

DllGetClassObject, xrefs: 00A17242

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 92d8a1f04d9af0904d8164a1cd23d1b46474e125f1895ceace0abe98bea9dd73
Instruction ID: 0738134c6c29f9c0f79f4562b49cac618e8ebb2732363ce1046fc03618410eda
Opcode Fuzzy Hash: 92d8a1f04d9af0904d8164a1cd23d1b46474e125f1895ceace0abe98bea9dd73
Instruction Fuzzy Hash: 09419175604204EFDB15CF54C884ADE7BB9EF89310F1490A9BD099F20AD7B1DD86CBA0

Function 00A43D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A43E35
IsMenu.USER32(?), ref: 00A43E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A43E92
DrawMenuBar.USER32 ref: 00A43EA5

Strings

0, xrefs: 00A43D89

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 6a6849db0ec50823bc9eef8968e7707b670b64c752efb8a3c8d5c1cfd05e5cf4
Instruction ID: 64263552b7a005ee92c739d1977bae36c56026bafc5240260b06430b31a73d0b
Opcode Fuzzy Hash: 6a6849db0ec50823bc9eef8968e7707b670b64c752efb8a3c8d5c1cfd05e5cf4
Instruction Fuzzy Hash: C541487AA02209EFDF10DF90D885AAABBF9FF89360F044129E915A7250D770AE45CF50

Function 00A11DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

Part of subcall function 00A13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A13CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00A11E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00A11E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00A11EA9

Part of subcall function 009B6B57: _wcslen.LIBCMT ref: 009B6B6A

Strings

ListBox, xrefs: 00A11E25
ComboBox, xrefs: 00A11DF0

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: a259cdcb58928d31e4eba54bb2b1f7974bab79e7519d9bb73441bc4c6b62f500
Instruction ID: 3f5a781044ed990744dea8e1bcacca2f2cbf4f3d689ccff5b53012daac3b8b33
Opcode Fuzzy Hash: a259cdcb58928d31e4eba54bb2b1f7974bab79e7519d9bb73441bc4c6b62f500
Instruction Fuzzy Hash: 28216875A00104BFDF14ABF0CD45DFFB7B9EF82360B148519F92AA31E1DB38494A8A20

Function 00A3C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A3C9F1
_wcslen.LIBCMT ref: 00A3CA68
_wcslen.LIBCMT ref: 00A3CA9E
_wcslen.LIBCMT ref: 00A3CAF9
_wcslen.LIBCMT ref: 00A3CB2F
_wcslen.LIBCMT ref: 00A3CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00A3CA62, 00A3CA67
HKLM, xrefs: 00A3CA98, 00A3CA9D

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 1681cc4c0c64ed7c4f6bba528871312020cad6ac808a2af93d5a1c262219ea0c
Instruction ID: 49d7bf839932dd6e90b8eb0b1e0fd1b32a0138a337352ce4bd540d2811e027be
Opcode Fuzzy Hash: 1681cc4c0c64ed7c4f6bba528871312020cad6ac808a2af93d5a1c262219ea0c
Instruction Fuzzy Hash: C431B673E401694BCB20EF6D9D505BE37939BA17F0F15802AF845BB345EA71CE4193A0

Function 00A42F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A42F8D
LoadLibraryW.KERNEL32(?), ref: 00A42F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A42FA9
DestroyWindow.USER32(?), ref: 00A42FB1

Strings

SysAnimate32, xrefs: 00A42F68

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: c1493832e92953b29c4d99293a33cf454ec42446973f50770510b9eee28eb33e
Instruction ID: 7185ab0152dfbe6005c07b4c580c5014eefad2932c1a900dfea5c35f3f56cca9
Opcode Fuzzy Hash: c1493832e92953b29c4d99293a33cf454ec42446973f50770510b9eee28eb33e
Instruction Fuzzy Hash: 0821CD79200209ABEB108FA4DC80FBB77BDEBD9364FD04618F954D2190D772DCA69760

Function 009D4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,009D4D1E,009E28E9,?,009D4CBE,009E28E9,00A788B8,0000000C,009D4E15,009E28E9,00000002), ref: 009D4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009D4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,009D4D1E,009E28E9,?,009D4CBE,009E28E9,00A788B8,0000000C,009D4E15,009E28E9,00000002,00000000), ref: 009D4DC3

Strings

CorExitProcess, xrefs: 009D4D98
mscoree.dll, xrefs: 009D4D86

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d30c382dd68cfeff95b18fbd8ec7bbda8805dfeb0e2f0dcadb14648965933793
Instruction ID: 216f89ce86f76c7bbc60748bd8c51121f013619e7217eac9dd98be3d9a9ba475
Opcode Fuzzy Hash: d30c382dd68cfeff95b18fbd8ec7bbda8805dfeb0e2f0dcadb14648965933793
Instruction Fuzzy Hash: 95F0C838541208BBDB109FD4DC09B9DBFB9FF84722F004155F809A6290CB356D41CF90

Function 009B4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,009B4EDD,?,00A81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009B4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 009B4EAE
FreeLibrary.KERNEL32(00000000,?,?,009B4EDD,?,00A81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009B4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 009B4EA8
kernel32.dll, xrefs: 009B4E94

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: d937b8e57c647a6f533828850da2be13ebfb3027d8d220618a47de3364792f72
Instruction ID: 582284f379df4db9f8b1621b76174473a847e216a82a9ac11470750c37ac1cbc
Opcode Fuzzy Hash: d937b8e57c647a6f533828850da2be13ebfb3027d8d220618a47de3364792f72
Instruction Fuzzy Hash: 86E0CD3EA035226BD271576D6C18B9F755CBFC2F727050215FC08D2102DB65CD0395A1

Function 009B4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,009F3CDE,?,00A81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009B4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 009B4E74
FreeLibrary.KERNEL32(00000000,?,?,009F3CDE,?,00A81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009B4E87

Strings

kernel32.dll, xrefs: 009B4E5B
Wow64RevertWow64FsRedirection, xrefs: 009B4E6E

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: d512537cbb5319a3f29399b4bf04d227cae409fe7574d4a0d3977008b69143c1
Instruction ID: 9d34dfeaab1a308a8e0615f0c9405f3f62a25591d1a97bb58758b01cf6dbaa83
Opcode Fuzzy Hash: d512537cbb5319a3f29399b4bf04d227cae409fe7574d4a0d3977008b69143c1
Instruction Fuzzy Hash: CAD0C23E503A2167CA621B287C08DCB2B1CBFC2F313054610B809A2111CF66CD02D5E2

Function 00A22947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A22C05
DeleteFileW.KERNEL32(?), ref: 00A22C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A22C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A22CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A22CC0

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 75ea3f7d5e2c81948b2d04c60ab5e83e7262b0555091faaaf2db06a17f13a75c
Instruction ID: 8512174145b1f7f1f781ef7e19b21714cd6d26591b62e55ed6af860b8bd66d82
Opcode Fuzzy Hash: 75ea3f7d5e2c81948b2d04c60ab5e83e7262b0555091faaaf2db06a17f13a75c
Instruction Fuzzy Hash: 81B15D72901129ABDF21EBA8DD85FDEB7BDEF49350F1040A6F609E6141EA309A448F61

Function 00A3A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00A3A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A3A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A3A468
CloseHandle.KERNEL32(?), ref: 00A3A63D

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 9dd8abc039261ce1100cd1813005256aef4f98bd29d951c80e25aea04b630cdd
Instruction ID: efc6f97f8d5afb85ee19f2cef11747a242e12072fe443804465f6c65da3d4c0b
Opcode Fuzzy Hash: 9dd8abc039261ce1100cd1813005256aef4f98bd29d951c80e25aea04b630cdd
Instruction Fuzzy Hash: 89A1A075604300AFD720DF24C986F2AB7E5AF94724F14885DF59A9B2D2DBB0EC41CB92

Function 00A1E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A1CF22,?), ref: 00A1DDFD

Part of subcall function 00A1DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A1CF22,?), ref: 00A1DE16

Part of subcall function 00A1E199: GetFileAttributesW.KERNEL32(?,00A1CF95), ref: 00A1E19A

lstrcmpiW.KERNEL32(?,?), ref: 00A1E473
MoveFileW.KERNEL32(?,?), ref: 00A1E4AC
_wcslen.LIBCMT ref: 00A1E5EB
_wcslen.LIBCMT ref: 00A1E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00A1E650

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 8ece6e7ac43cb1fa475562f3f1cd17fa8ba98e268a02ef3da81db3255f9a371e
Instruction ID: 45975b9e7d7e1570a3dcdd4fd83d7092de1b63f32da2f86cf56c13a933984655
Opcode Fuzzy Hash: 8ece6e7ac43cb1fa475562f3f1cd17fa8ba98e268a02ef3da81db3255f9a371e
Instruction Fuzzy Hash: D85172B24083459BC724EB90DD81ADFB3ECAFC5350F00491EFA89D3191EF75A6888766

Function 00A3B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

Part of subcall function 00A3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A3B6AE,?,?), ref: 00A3C9B5
Part of subcall function 00A3C998: _wcslen.LIBCMT ref: 00A3C9F1
Part of subcall function 00A3C998: _wcslen.LIBCMT ref: 00A3CA68
Part of subcall function 00A3C998: _wcslen.LIBCMT ref: 00A3CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A3BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A3BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A3BB63
RegCloseKey.ADVAPI32(?,?), ref: 00A3BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00A3BBB3

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: ee254f8c3aa894ef95b76cf9422a8c758eb83744e72173d515b71fe4436a5ace
Instruction ID: 49f9717f954735f0f665795e73c2ad3a4679d65c0bfc4545d8903330b105209e
Opcode Fuzzy Hash: ee254f8c3aa894ef95b76cf9422a8c758eb83744e72173d515b71fe4436a5ace
Instruction Fuzzy Hash: 2F61A031218241AFD314DF14C890F6ABBE5FF84358F14895CF5998B2A2DB31ED45CBA2

Function 00A18BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A18BCD
VariantClear.OLEAUT32 ref: 00A18C3E
VariantClear.OLEAUT32 ref: 00A18C9D
VariantClear.OLEAUT32(?), ref: 00A18D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A18D3B

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 971c69b6bc471174862d02518001d3016eca65dacd17728d044a768bbe5e6d59
Instruction ID: 6a14915b91c148f975f57d7c2e8df833734b88722469beb3b349aee91535e0fd
Opcode Fuzzy Hash: 971c69b6bc471174862d02518001d3016eca65dacd17728d044a768bbe5e6d59
Instruction Fuzzy Hash: 675168B5A00219EFCB10CF68D884AAAB7F8FF89310B158559F909DB350E734E911CF90

Function 00A28AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00A28BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00A28BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00A28C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00A28C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00A28C5F

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 3d10870b28ff285ca255a24fe98bd85215df57d56e857d3ee9e6a77af81f58bf
Instruction ID: 02365c9dd367b3b2769a507ccb3cadcdd13f1462364d04aa0142d69469fb8133
Opcode Fuzzy Hash: 3d10870b28ff285ca255a24fe98bd85215df57d56e857d3ee9e6a77af81f58bf
Instruction Fuzzy Hash: 55514C35A002149FCB11DF64C881AA9BBF5FF89324F088058F849AB362CB75ED41CBA0

Function 00A38EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00A38F40
GetProcAddress.KERNEL32(00000000,?), ref: 00A38FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00A38FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00A39032
FreeLibrary.KERNEL32(00000000), ref: 00A39052

Part of subcall function 009CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00A21043,?,753CE610), ref: 009CF6E6
Part of subcall function 009CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00A0FA64,00000000,00000000,?,?,00A21043,?,753CE610,?,00A0FA64), ref: 009CF70D

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: a88c80e4a75e74b2b28011a8d4b1c04d2b21bf18677a29d16ba831eb7f66e95b
Instruction ID: c60c1afd7c85f5a79af0f0221168cda80a862913b3c25482569aa6c2fe6cb4e3
Opcode Fuzzy Hash: a88c80e4a75e74b2b28011a8d4b1c04d2b21bf18677a29d16ba831eb7f66e95b
Instruction Fuzzy Hash: 6B513938605205DFCB15DF58C5949ADBBB1FF89324F0481A8F80A9B362DB71ED86CB91

Function 00A46B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00A46C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00A46C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00A46C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00A2AB79,00000000,00000000), ref: 00A46C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00A46CC7

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 4eae8d9fab4973af9962ee22f7299d4c48baddd8727acdc28dfc6bd5fd00cdb5
Instruction ID: 581cc4910556177e3cc0e6d28e0cc59f5b7325c50ef10032bbbfe7b58d73da77
Opcode Fuzzy Hash: 4eae8d9fab4973af9962ee22f7299d4c48baddd8727acdc28dfc6bd5fd00cdb5
Instruction Fuzzy Hash: E241D73DA04104AFD724CF68CD94FA97BA5EB8B360F150268F899E72E0C371ED42CA41

Function 009E2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009E20C3
_free.LIBCMT ref: 009E20E3

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 96ef6f47eec7bd6369cf5f9552a6c2ea5d0c8d6105c3f8329b8a669a26a6a98c
Instruction ID: d14c93759e7c2c227b5c7b5beb5d5cee4861745e32e83aecf5ad3204b555a4a0
Opcode Fuzzy Hash: 96ef6f47eec7bd6369cf5f9552a6c2ea5d0c8d6105c3f8329b8a669a26a6a98c
Instruction Fuzzy Hash: 4D41D232A00244AFCB25DF79C881A5DB7A9EF89314F158569E515EB392D631AE01CB81

Function 009C912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 009C9141
ScreenToClient.USER32(00000000,?), ref: 009C915E
GetAsyncKeyState.USER32(00000001), ref: 009C9183
GetAsyncKeyState.USER32(00000002), ref: 009C919D

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d96d2d1f83dd24a6c7e0fc9b9775ab7c164167f1cc3e609c531b7feb0ce276a4
Instruction ID: 26a8c738bc218628f8ae50b65f8d37e3015f7a8aeeab79bf6ffb44d145779f71
Opcode Fuzzy Hash: d96d2d1f83dd24a6c7e0fc9b9775ab7c164167f1cc3e609c531b7feb0ce276a4
Instruction Fuzzy Hash: FC416C35E0860AFBDF159F64D889BEEB774FB45320F248319E429A32E0C7346950CB92

Function 00A23874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00A238CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00A23922
TranslateMessage.USER32(?), ref: 00A2394B
DispatchMessageW.USER32(?), ref: 00A23955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A23966

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: e55439d05379a10d9fdaa544b6f0d9db0c822d5f88876f9656c83436f58d6e12
Instruction ID: 73ed39dafaf84df786de15f0556ae6c1071bd7728430dd57e8c4a22427e71f86
Opcode Fuzzy Hash: e55439d05379a10d9fdaa544b6f0d9db0c822d5f88876f9656c83436f58d6e12
Instruction Fuzzy Hash: 0231A6729043619EEF25CBB8A859BB637E8EB07304F040579E466861A0E7B996C6CB11

Function 00A2CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00A2C21E,00000000), ref: 00A2CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00A2CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00A2C21E,00000000), ref: 00A2CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00A2C21E,00000000), ref: 00A2CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00A2C21E,00000000), ref: 00A2CFF2

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 8a3813c58f42c9f302ab9d1173b6c37d4b0cc5dc04fc48b69aa4022c795b3e50
Instruction ID: 005e13906d4bee35f5b001e7f0cd5fa20d2470991ffb53862151adf61dbe7fdf
Opcode Fuzzy Hash: 8a3813c58f42c9f302ab9d1173b6c37d4b0cc5dc04fc48b69aa4022c795b3e50
Instruction Fuzzy Hash: FC319F71500315EFDB20DFA9EA84AAFBBF9EB44360B10403EF506D2141D730AE41DB60

Function 00A11901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A11915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00A119C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00A119C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00A119DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00A119E2

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e45f34bfd6b5b7e29571d078b72764e2c63820e947320311ee408f0b1ab56f5b
Instruction ID: 103822aa24cc18854ebc55eb4b8caa80e922502d2a6b59aced9bd3de68732dd8
Opcode Fuzzy Hash: e45f34bfd6b5b7e29571d078b72764e2c63820e947320311ee408f0b1ab56f5b
Instruction Fuzzy Hash: 4F31C275A00219EFCB00CFA8CD99ADE7BB5EB45325F108225FA25A72D1C7709984CB90

Function 00A45706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A45745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00A4579D
_wcslen.LIBCMT ref: 00A457AF
_wcslen.LIBCMT ref: 00A457BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A45816

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: ceec1fd63ed8f59f1e956339fec07ff8d4ee62b89fe2bacf4c6264a561768c0f
Instruction ID: 922edb7b450b2721440f12102b99ee0cb58f76b85416a6f6d20742bec2e93c47
Opcode Fuzzy Hash: ceec1fd63ed8f59f1e956339fec07ff8d4ee62b89fe2bacf4c6264a561768c0f
Instruction Fuzzy Hash: 4F218579D046189BDB20DFB0CC85AEDB7B8FF85724F108616E919EB182D7748985CF50

Function 00A30930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A30951
GetForegroundWindow.USER32 ref: 00A30968
GetDC.USER32(00000000), ref: 00A309A4
GetPixel.GDI32(00000000,?,00000003), ref: 00A309B0
ReleaseDC.USER32(00000000,00000003), ref: 00A309E8

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: da1a307bd94589f26941026f540c35acdfff47685bd17d7de45d0ec355bf1413
Instruction ID: 96a5e51ef085e5de64abe76e588b9a053031fe0cc9bc1a782bfe3f90e096272c
Opcode Fuzzy Hash: da1a307bd94589f26941026f540c35acdfff47685bd17d7de45d0ec355bf1413
Instruction Fuzzy Hash: BF21A139600214AFD754EFA9D984AAEBBF9EF85710F048068F84A97362CB70AD05CB50

Function 009ECDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 009ECDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009ECDE9

Part of subcall function 009E3820: RtlAllocateHeap.NTDLL(00000000,?,00A81444,?,009CFDF5,?,?,009BA976,00000010,00A81440,009B13FC,?,009B13C6,?,009B1129), ref: 009E3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 009ECE0F
_free.LIBCMT ref: 009ECE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009ECE31

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 2a09e2718b392872e059f934d8fff9345e28ca92dda5e7cdaaf58fa697359288
Instruction ID: ea4b49310d1a4f76044ffd21b2b9fd348bc89a44fd4b95676c63f5fc31a5821a
Opcode Fuzzy Hash: 2a09e2718b392872e059f934d8fff9345e28ca92dda5e7cdaaf58fa697359288
Instruction Fuzzy Hash: 8F01D4B66022957F63225ABB6C8CD7B6A6DDECBFA1315012DF905D7201EA628D0381B0

Function 009C9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009C9693
SelectObject.GDI32(?,00000000), ref: 009C96A2
BeginPath.GDI32(?), ref: 009C96B9
SelectObject.GDI32(?,00000000), ref: 009C96E2

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: bfc4c6a0d74ccf53f3486b5029aa959f1ac9a3e711740fd8bee37150269d7a3a
Instruction ID: 5b4f7090bbe7f5d5bdb34664630b88aefe371082d4612bdb31c170cd5d250941
Opcode Fuzzy Hash: bfc4c6a0d74ccf53f3486b5029aa959f1ac9a3e711740fd8bee37150269d7a3a
Instruction Fuzzy Hash: 4F218E34C02305EBDB11DFA8ED0CBA93BACBB41365F10061AF414A61F0D3719893CB96

Function 00A15711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00A15726
_memcmp.LIBVCRUNTIME ref: 00A15744
_memcmp.LIBVCRUNTIME ref: 00A15757
_memcmp.LIBVCRUNTIME ref: 00A1576F
_memcmp.LIBVCRUNTIME ref: 00A15787

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c9b9f635563276d4c486d08686a7925b498f49385e1df148ba2c995d98c74252
Instruction ID: 38cc44939a672ffa0b8e2634647f74dbec4713994e9f80f5fc39060396715715
Opcode Fuzzy Hash: c9b9f635563276d4c486d08686a7925b498f49385e1df148ba2c995d98c74252
Instruction Fuzzy Hash: D201B976A81605FFD2085620DD83FFB735DAFE13A4F004821FD04AA2C1F760ED5086A4

Function 009C990E Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009C98CC
SetTextColor.GDI32(?,?), ref: 009C98D6
SetBkMode.GDI32(?,00000001), ref: 009C98E9
GetStockObject.GDI32(00000005), ref: 009C98F1
GetWindowLongW.USER32(?,000000EB), ref: 009C9952

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 8220679d3eef3f8dbb2f2d35119682876f33ea5d40233067a949899cbe178504
Instruction ID: 09b5d663f5ea76d4d2aded020b7b32d56244bbc91f6ed71d05816e43e06f46da
Opcode Fuzzy Hash: 8220679d3eef3f8dbb2f2d35119682876f33ea5d40233067a949899cbe178504
Instruction Fuzzy Hash: CB1126399462509FCB12CF64EC68FF93F68AF57331B08018DF5928B1A1C6325852CB11

Function 009E2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,009DF2DE,009E3863,00A81444,?,009CFDF5,?,?,009BA976,00000010,00A81440,009B13FC,?,009B13C6), ref: 009E2DFD
_free.LIBCMT ref: 009E2E32
_free.LIBCMT ref: 009E2E59
SetLastError.KERNEL32(00000000,009B1129), ref: 009E2E66
SetLastError.KERNEL32(00000000,009B1129), ref: 009E2E6F

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 99179b85c04a22df62334dc0e4d82fd78181c72296a453753502efcb44bcbc8f
Instruction ID: 54cafb2a64e84b9d8cc3bf237ea8beab010b32cb7210ec528d94c2515b083ccc
Opcode Fuzzy Hash: 99179b85c04a22df62334dc0e4d82fd78181c72296a453753502efcb44bcbc8f
Instruction Fuzzy Hash: D0012D361066A077C61367B76C4AE2B175DABC2775B35853CF469A32D3EF348C024120

Function 00A1000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A0FF41,80070057,?,?,?,00A1035E), ref: 00A1002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A0FF41,80070057,?,?), ref: 00A10046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A0FF41,80070057,?,?), ref: 00A10054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A0FF41,80070057,?), ref: 00A10064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A0FF41,80070057,?,?), ref: 00A10070

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 43bb53e9e0d646a63502a53e5c79501950daae0be64cfe7d2eb4a0908bfb3775
Instruction ID: 165cdc2ce7624b6bba4e348624aef4da101a6aa29e97e26ef06ceb471f52cdb8
Opcode Fuzzy Hash: 43bb53e9e0d646a63502a53e5c79501950daae0be64cfe7d2eb4a0908bfb3775
Instruction Fuzzy Hash: 4C01847A601204BFDB508FA8DC04FEA7AADEB88762F144124F945D6210E7B2DD818760

Function 00A1E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00A1E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00A1E9A5
Sleep.KERNEL32(00000000), ref: 00A1E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00A1E9B7
Sleep.KERNEL32 ref: 00A1E9F3

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 231de8c231c7d60aa054eca73cb290387ac41da818e637e4b19cfd0689308dbb
Instruction ID: a130eb9d026d8b70405672a4c58a233f7a20c0cd084ee3359da8c039ec5e91f8
Opcode Fuzzy Hash: 231de8c231c7d60aa054eca73cb290387ac41da818e637e4b19cfd0689308dbb
Instruction Fuzzy Hash: A4015739C0262DDBCF40EBE9DC49AEDFB78BB49711F040646E906B2241DB3095918BA1

Function 00A110F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A11114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00A10B9B,?,?,?), ref: 00A11120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A10B9B,?,?,?), ref: 00A1112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A10B9B,?,?,?), ref: 00A11136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A1114D

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 41205f2e8973410c5525af6d1385bd91264314ea96199dea5e710578a92bed19
Instruction ID: 091bb8e1c162037ae3f04d3830f81a4c9033c90cdd475f9f4ab548afb492c9d7
Opcode Fuzzy Hash: 41205f2e8973410c5525af6d1385bd91264314ea96199dea5e710578a92bed19
Instruction Fuzzy Hash: 3D016D7D101205BFDB518FA5DC49AAA7B6EEFC6364B100418FA45C7360DB32DC418A60

Function 00A10FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A10FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A10FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A10FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A10FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A11002

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: db7b07f45ce9b51e39ccde049df78af01dc9d79a8e43db1d9a911d69948524cf
Instruction ID: b5ab9bb2c190d83ffd7b12f5c5d0ae42637e193af92f764247e221d3af40dfdd
Opcode Fuzzy Hash: db7b07f45ce9b51e39ccde049df78af01dc9d79a8e43db1d9a911d69948524cf
Instruction Fuzzy Hash: C2F04F3D602311ABD7218FE49C49F963B6DEFCA761F104414FA4AC6251CA71DC818A60

Function 00A11014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A1102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A11036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A11045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A1104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A11062

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 54d4d7d27fbab3bb402088eafc712dd9ff3a4501a48ce4a4f75e24b44afb0235
Instruction ID: 849c4aac91a29000a52e7ecd444ae112ce6c27ed9080f37963b516afc9b9c43b
Opcode Fuzzy Hash: 54d4d7d27fbab3bb402088eafc712dd9ff3a4501a48ce4a4f75e24b44afb0235
Instruction Fuzzy Hash: CBF0623D602311EBD7219FE5EC49F963B6DEFCA761F500424FA49C7250CA71D881CA60

Function 00A2030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00A2017D,?,00A232FC,?,00000001,009F2592,?), ref: 00A20324
CloseHandle.KERNEL32(?,?,?,?,00A2017D,?,00A232FC,?,00000001,009F2592,?), ref: 00A20331
CloseHandle.KERNEL32(?,?,?,?,00A2017D,?,00A232FC,?,00000001,009F2592,?), ref: 00A2033E
CloseHandle.KERNEL32(?,?,?,?,00A2017D,?,00A232FC,?,00000001,009F2592,?), ref: 00A2034B
CloseHandle.KERNEL32(?,?,?,?,00A2017D,?,00A232FC,?,00000001,009F2592,?), ref: 00A20358
CloseHandle.KERNEL32(?,?,?,?,00A2017D,?,00A232FC,?,00000001,009F2592,?), ref: 00A20365

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b094a79805c62b3786a85a1ba543e75d80dc57d7cc827826af872f505ae49acf
Instruction ID: 24259be264ef9a29e8079542544339600c19f88786fc3b29dfed675ea37783d3
Opcode Fuzzy Hash: b094a79805c62b3786a85a1ba543e75d80dc57d7cc827826af872f505ae49acf
Instruction Fuzzy Hash: 5901A276801B259FC7309F6AE880812FBF5BF503153158A3FD19656932C371A955CF80

Function 009ED73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009ED752

Part of subcall function 009E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009ED7D1,00000000,00000000,00000000,00000000,?,009ED7F8,00000000,00000007,00000000,?,009EDBF5,00000000), ref: 009E29DE
Part of subcall function 009E29C8: GetLastError.KERNEL32(00000000,?,009ED7D1,00000000,00000000,00000000,00000000,?,009ED7F8,00000000,00000007,00000000,?,009EDBF5,00000000,00000000), ref: 009E29F0

_free.LIBCMT ref: 009ED764
_free.LIBCMT ref: 009ED776
_free.LIBCMT ref: 009ED788
_free.LIBCMT ref: 009ED79A

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a877426a383a6647f8f387cc1fcc00b94d898dc9d2745e11336790a1cd610bb6
Instruction ID: 74b081404e00216319bcd586b3074c5eaa4364e093f7e17b3a071db05d352104
Opcode Fuzzy Hash: a877426a383a6647f8f387cc1fcc00b94d898dc9d2745e11336790a1cd610bb6
Instruction Fuzzy Hash: 0BF09672501288ABC623EBA6FEC2D1A77DDBB44320B955C09F04CE7502C735FCC08664

Function 00A15C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00A15C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00A15C6F
MessageBeep.USER32(00000000), ref: 00A15C87
KillTimer.USER32(?,0000040A), ref: 00A15CA3
EndDialog.USER32(?,00000001), ref: 00A15CBD

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: eee9acb4e499c9e33bb40153bb4b362de18a1df8bb2d1c1a3fc4a3679d5742a8
Instruction ID: 965c7f8bb9503d2ab7c3f746685d55713dcba5fe26e53bae9a33d85f0feb6249
Opcode Fuzzy Hash: eee9acb4e499c9e33bb40153bb4b362de18a1df8bb2d1c1a3fc4a3679d5742a8
Instruction Fuzzy Hash: 1901DB38501714DBEB205F60DD4EFD5B7B8BB41701F001159A547610E0DBF5A9858A90

Function 009E22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009E22BE

Part of subcall function 009E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009ED7D1,00000000,00000000,00000000,00000000,?,009ED7F8,00000000,00000007,00000000,?,009EDBF5,00000000), ref: 009E29DE
Part of subcall function 009E29C8: GetLastError.KERNEL32(00000000,?,009ED7D1,00000000,00000000,00000000,00000000,?,009ED7F8,00000000,00000007,00000000,?,009EDBF5,00000000,00000000), ref: 009E29F0

_free.LIBCMT ref: 009E22D0
_free.LIBCMT ref: 009E22E3
_free.LIBCMT ref: 009E22F4
_free.LIBCMT ref: 009E2305

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: efca40915aa2133770ab0d22241bb5d3b8df7cefd734458ee45c7aef6cc830d8
Instruction ID: 101a4075f23e79f2e658abed941ff3ccbcf8c4848495a85a4f54f8f427528df3
Opcode Fuzzy Hash: efca40915aa2133770ab0d22241bb5d3b8df7cefd734458ee45c7aef6cc830d8
Instruction Fuzzy Hash: 94F03A718001648BC623FFD9BD02D483B6CBB18760702955AF524D62B2D7340C53AFE5

Function 009C95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009C95D4
StrokeAndFillPath.GDI32(?,?,00A071F7,00000000,?,?,?), ref: 009C95F0
SelectObject.GDI32(?,00000000), ref: 009C9603
DeleteObject.GDI32 ref: 009C9616
StrokePath.GDI32(?), ref: 009C9631

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 65b85211e8f43ccb80cd325ae910c60068e6430ef909f986325fc192d3e9a796
Instruction ID: 2287abc9a20d3bc5dae5048f1194c5917cd9b5c0ed5a3cbd07326e631dcd55b2
Opcode Fuzzy Hash: 65b85211e8f43ccb80cd325ae910c60068e6430ef909f986325fc192d3e9a796
Instruction Fuzzy Hash: C2F03738406748EBDB26DFE9ED1CB643B69AB82332F448218F829550F1D7318993DF21

Function 009E0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 009E10F9
__freea.LIBCMT ref: 009E1117

Part of subcall function 009E1537: _free.LIBCMT ref: 009E154F

Strings

a/p, xrefs: 009E11DE
am/pm, xrefs: 009E117A

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: d66f4b6493f246b0aefd474c5b80816b3ae03f9c36fd8d03b0fc86a0cd0e4ca1
Instruction ID: ce738f7c5ef68c1a464e8654d7bfa7dcb41e25861f9e84fccc6050838e9c0a11
Opcode Fuzzy Hash: d66f4b6493f246b0aefd474c5b80816b3ae03f9c36fd8d03b0fc86a0cd0e4ca1
Instruction Fuzzy Hash: 9AD158319042C6DBCB2B8F6AC845BFEB7B8FF05300F28451AEA11AB655D3759D80CB91

Function 00A37B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 009D0242: EnterCriticalSection.KERNEL32(00A8070C,00A81884,?,?,009C198B,00A82518,?,?,?,009B12F9,00000000), ref: 009D024D
Part of subcall function 009D0242: LeaveCriticalSection.KERNEL32(00A8070C,?,009C198B,00A82518,?,?,?,009B12F9,00000000), ref: 009D028A

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

Part of subcall function 009D00A3: __onexit.LIBCMT ref: 009D00A9

__Init_thread_footer.LIBCMT ref: 00A37BFB

Part of subcall function 009D01F8: EnterCriticalSection.KERNEL32(00A8070C,?,?,009C8747,00A82514), ref: 009D0202
Part of subcall function 009D01F8: LeaveCriticalSection.KERNEL32(00A8070C,?,009C8747,00A82514), ref: 009D0235

Strings

G, xrefs: 00A37C7F
5, xrefs: 00A37C78
Variable must be of type 'Object'., xrefs: 00A37C3A

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: abbc6b7cb490201c7f7d6b2672be4f703f267e86ba5ad0d98cdac2021f26302a
Instruction ID: d46cf4d6ff0007f888cf951ec50d93848015a417b684028a80ffff08ef20d4a4
Opcode Fuzzy Hash: abbc6b7cb490201c7f7d6b2672be4f703f267e86ba5ad0d98cdac2021f26302a
Instruction Fuzzy Hash: F99180B4A04209EFCB24EF94D991EBDB7B1FF85350F108059F8469B292DB71AE41CB51

Function 00A12716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A121D0,?,?,00000034,00000800,?,00000034), ref: 00A1B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00A12760

Part of subcall function 00A1B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A121FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00A1B3F8

Part of subcall function 00A1B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00A1B355
Part of subcall function 00A1B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00A12194,00000034,?,?,00001004,00000000,00000000), ref: 00A1B365
Part of subcall function 00A1B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00A12194,00000034,?,?,00001004,00000000,00000000), ref: 00A1B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A127CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A1281A

Strings

@, xrefs: 00A12832

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: b863f98e0fe5864d3f9cc7391e548767d38e02dd295464f40714fea38ca08e81
Instruction ID: 65648d9f1a3b8392f6f8f26c2a858f315df41b437459fb31b8f69cc4a4116eb6
Opcode Fuzzy Hash: b863f98e0fe5864d3f9cc7391e548767d38e02dd295464f40714fea38ca08e81
Instruction Fuzzy Hash: 99414F76900218AFDB10DFA4CD85BDEBBB8EF45300F108095FA55B7181DB71AE85CB60

Function 009E172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 009E1769
_free.LIBCMT ref: 009E1834
_free.LIBCMT ref: 009E183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 009E1760, 009E1767, 009E1796, 009E17CE

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 767f45603f26f00b725af2ca1b9e751d79d0dc50bba10f91f581e03fe6da968c
Instruction ID: cf79d9c28263d481b940adc2e7097b485f04d37914143a48b3641ebd33f74a46
Opcode Fuzzy Hash: 767f45603f26f00b725af2ca1b9e751d79d0dc50bba10f91f581e03fe6da968c
Instruction Fuzzy Hash: 89318175A00298EFDB22DF9ADC85E9EBBFCEB85710B14416AF805D7211E7718E41CB90

Function 00A1C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00A1C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00A1C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A81990,013F7778), ref: 00A1C395

Strings

0, xrefs: 00A1C2DF

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 0f498eac38cd917eaa3a3e0441229fc80d382916f2738c7f32c0db428bfbd220
Instruction ID: 1f8f7db7e349cfa582954abfbccef0222cf56a130cb1bdccb427dda04da9f54e
Opcode Fuzzy Hash: 0f498eac38cd917eaa3a3e0441229fc80d382916f2738c7f32c0db428bfbd220
Instruction Fuzzy Hash: ED41C2352443019FD724DF24D884B9AFBE8AF85330F108A1EF9A59B2D1D730E945CB62

Function 00A44416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A4CC08,00000000,?,?,?,?), ref: 00A444AA
GetWindowLongW.USER32 ref: 00A444C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A444D7

Strings

SysTreeView32, xrefs: 00A4447C

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 3e5b0c6f34003678723220746c72a9f021baad5d7deabcb91d64604b25f36808
Instruction ID: 172bf420ca506457d05e9bd65edde98b36e3242a2dc9215221d90cc7d40ee670
Opcode Fuzzy Hash: 3e5b0c6f34003678723220746c72a9f021baad5d7deabcb91d64604b25f36808
Instruction Fuzzy Hash: DD31C03A200605AFDF208F78DC45BEA7BA9EB88334F208715F979921D0D770EC519B50

Function 00A3304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00A33077,?,?), ref: 00A33378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A3307A
_wcslen.LIBCMT ref: 00A3309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00A33106

Strings

255.255.255.255, xrefs: 00A33095, 00A3309A

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: f1e3d08bd234c1fc0542920432769ad73a4c34447cd5db9a19afb27365fdb575
Instruction ID: 4080cb04ae2e36f42e4a5d33d2c1d0b54a56a874456b2655740f44dead16a318
Opcode Fuzzy Hash: f1e3d08bd234c1fc0542920432769ad73a4c34447cd5db9a19afb27365fdb575
Instruction Fuzzy Hash: CE31923A6082059FCF14CF68C585AA977F0EF55318F248159F9158F392DB72DE45C760

Function 00A43EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A43F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A43F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A43F78

Strings

SysMonthCal32, xrefs: 00A43F0B

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 54d939511199fd26f26ab244b664e95e19ca5adf23a0be7e7976383b24e6b9de
Instruction ID: eeef7aacc865bb2baf3fd75820be6b118cf30994d25a778bffd2cd8add599f61
Opcode Fuzzy Hash: 54d939511199fd26f26ab244b664e95e19ca5adf23a0be7e7976383b24e6b9de
Instruction Fuzzy Hash: 2B21AB37600219BBDF25CF90DC46FEA3B79EF88724F110214FE19AB190D6B6A8558B90

Function 00A44653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A44705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A44713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A4471A

Strings

msctls_updown32, xrefs: 00A44684

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 4e5e7e0c7cf2ea711cd6ad1b98e8a78b11976dc57c5c443b764650db4108a869
Instruction ID: 882e84472192face925b1f6ef214742de79584731d1e108699733bb6ff5e4913
Opcode Fuzzy Hash: 4e5e7e0c7cf2ea711cd6ad1b98e8a78b11976dc57c5c443b764650db4108a869
Instruction Fuzzy Hash: 372162B9600209AFEB10DF64DCC1EB777ADEB9A3A4B050459FA1497351DB35EC12CB60

Function 00A195AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A1961D

Strings

#notrayicon, xrefs: 00A195B7
#OnAutoItStartRegister, xrefs: 00A195F3
#requireadmin, xrefs: 00A195D9

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 4f1e4e09497321967907131b4f83f82b06f12d4a2f1dc1daf9d44ed71e6a6c3f
Instruction ID: aa3e97d6fb6956550080a64d4fe9e6d8a57479fc8a793840124b26615f2d8ba5
Opcode Fuzzy Hash: 4f1e4e09497321967907131b4f83f82b06f12d4a2f1dc1daf9d44ed71e6a6c3f
Instruction Fuzzy Hash: 4F215B321041106AE331BB249D22FF7B3E9EFD1360F508426F959A7142EB51ADC5C2B5

Function 00A437B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A43840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A43850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A43876

Strings

Listbox, xrefs: 00A4380F

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 4e74c256cb8f512c8b5e49a726fd7d514c790025a16a4347b0b36fb3000b40c7
Instruction ID: da28deebfa2445e28da6002ffd005b4e20ae0dfdd83f90a1d5104942d092b42c
Opcode Fuzzy Hash: 4e74c256cb8f512c8b5e49a726fd7d514c790025a16a4347b0b36fb3000b40c7
Instruction Fuzzy Hash: 5D21AC76600218BBEF21CF95CC81EAB7B6EEFC9760F108124F9449B190CA769C5287A0

Function 00A249F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A24A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00A24A5C
SetErrorMode.KERNEL32(00000000,?,?,00A4CC08), ref: 00A24AD0

Strings

%lu, xrefs: 00A24A6F

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 33db75fcbf4b328d9116c46750d1474b60ff91c496d20939c224ed4354680b6a
Instruction ID: f8b6d248b1a92c6fcdd94d122bb7c9b3999a14865a98c90b4e9118eea8c9aa75
Opcode Fuzzy Hash: 33db75fcbf4b328d9116c46750d1474b60ff91c496d20939c224ed4354680b6a
Instruction Fuzzy Hash: D431A274A00108AFDB10DF58C981FAA7BF8EF48318F1480A8F909DB252D771ED46CB61

Function 00A441EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A4424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A44264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A44271

Strings

msctls_trackbar32, xrefs: 00A44226

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: bcd44f3908872f5a5b96cb6cbeddefbe5418c8b671a19ab03a59f464ed3193ca
Instruction ID: 051b65f2d5c8cff1cdac9df1e75861ef1acc3c59b9d5a8303f4e8c4ba79cd6be
Opcode Fuzzy Hash: bcd44f3908872f5a5b96cb6cbeddefbe5418c8b671a19ab03a59f464ed3193ca
Instruction Fuzzy Hash: D2110635240208BEEF209F69CC06FEB3BACEFD9B64F114624FA55E2090D6B1DC119B10

Function 00A12F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B6B57: _wcslen.LIBCMT ref: 009B6B6A

Part of subcall function 00A12DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A12DC5
Part of subcall function 00A12DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A12DD6
Part of subcall function 00A12DA7: GetCurrentThreadId.KERNEL32 ref: 00A12DDD
Part of subcall function 00A12DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00A12DE4

GetFocus.USER32 ref: 00A12F78

Part of subcall function 00A12DEE: GetParent.USER32(00000000), ref: 00A12DF9

GetClassNameW.USER32(?,?,00000100), ref: 00A12FC3
EnumChildWindows.USER32(?,00A1303B), ref: 00A12FEB

Strings

%s%d, xrefs: 00A12FFF

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: ac341b2a22fca731480f27e98e4d713930671c23c86120e3e06a50e83c40c436
Instruction ID: da5bfa2b02b5ae75ff775f2c5459884471ea1054ed07b24ad1a94b617221c532
Opcode Fuzzy Hash: ac341b2a22fca731480f27e98e4d713930671c23c86120e3e06a50e83c40c436
Instruction Fuzzy Hash: 7A11C0756002056BDF44AFA0DD95FED77AAAF88314F048075B9099B152DE319A858B70

Function 00A45882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00A458C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00A458EE
DrawMenuBar.USER32(?), ref: 00A458FD

Strings

0, xrefs: 00A4588F

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 565c05041863a100da55ffe8b04be74e2422ee5ca8f75cf6c91e1aeadba1597d
Instruction ID: b2cd02bdfb9c7b0e4aea846c567c5beedda2c35d7a50140bd7d695fe9ab7ea6b
Opcode Fuzzy Hash: 565c05041863a100da55ffe8b04be74e2422ee5ca8f75cf6c91e1aeadba1597d
Instruction Fuzzy Hash: 09018439901218EFDB519F61DC44FAEBBB5FF85760F10C099E849D6152DB308A84DF21

Function 00A0D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00A0D3BF
FreeLibrary.KERNEL32 ref: 00A0D3E5

Strings

X64, xrefs: 00A0D2A8
GetSystemWow64DirectoryW, xrefs: 00A0D3B9

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 025b891bd408f829dffb57078b5b10fa579f9a47a90b63122b9a5f6c1fa65871
Instruction ID: 08986ce7fa5b819cfa24dcbe9498b79bee52fec81040a5b93fbac3f31f4274ed
Opcode Fuzzy Hash: 025b891bd408f829dffb57078b5b10fa579f9a47a90b63122b9a5f6c1fa65871
Instruction Fuzzy Hash: 37F0AB3B803A28EBC3B193946C54EADB734AF15B01B548628F80AFD0C8E720CD408797

Function 00A1007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64f2af9472681d874afc48a437d3bdaf933614a4b0f353e589daf0d3f4db34ae
Instruction ID: acd84355a35c45f0e140bc1e5510508cd63bed3c7890d31dd3d99a3f51d1423a
Opcode Fuzzy Hash: 64f2af9472681d874afc48a437d3bdaf933614a4b0f353e589daf0d3f4db34ae
Instruction Fuzzy Hash: F7C14975A0020AEFCB14CFA8C898EAEB7B5FF48304F218598E515EB251D771ED81DB90

Function 009E3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 009E3F0B
__alldvrm.LIBCMT ref: 009E410C
__alldvrm.LIBCMT ref: 009E412E

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 12ab3f101e5738ef637f7f532572c40efa4282f8dad5d4b90666fa3749f98e71
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: A6A13671E043C69FEB27CF1AC8917AEBBE8EF65350F1485ADE5859B282C2388D41C750

Function 00A3342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A33459
CoUninitialize.OLE32 ref: 00A33463
VariantInit.OLEAUT32(?), ref: 00A3346E
VariantClear.OLEAUT32(?), ref: 00A3371B

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: a9475fbb7b544eb137e9088a50d861bf63df8463f4ba9178595a4fefba2c6d03
Instruction ID: 90e4f2cd0aa43bd7a05249024ed2a62394246495f6846ec203bc7f04d1ff23a4
Opcode Fuzzy Hash: a9475fbb7b544eb137e9088a50d861bf63df8463f4ba9178595a4fefba2c6d03
Instruction Fuzzy Hash: 35A14F756083109FCB10DF68C585A6AB7E5FF88724F04895DF98A9B362DB70ED01CB52

Function 00A10436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00A4FC08,?), ref: 00A105F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00A4FC08,?), ref: 00A10608
CLSIDFromProgID.OLE32(?,?,00000000,00A4CC40,000000FF,?,00000000,00000800,00000000,?,00A4FC08,?), ref: 00A1062D
_memcmp.LIBVCRUNTIME ref: 00A1064E

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: e07f253bd45f86b17200535290801ab50e4354421987bc79ce3bf5a2b3d7b5de
Instruction ID: 343cf0a05dd43086a9630122a69db90aa6d2f687937b4e60e6519cb39fc2490c
Opcode Fuzzy Hash: e07f253bd45f86b17200535290801ab50e4354421987bc79ce3bf5a2b3d7b5de
Instruction Fuzzy Hash: 0081DC75A00109EFCB04DF94C984EEEB7B9FF89315F204558F516AB250DB71AE46CB60

Function 00A3A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A3A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00A3A6BA

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

Process32NextW.KERNEL32(00000000,?), ref: 00A3A79C
CloseHandle.KERNEL32(00000000), ref: 00A3A7AB

Part of subcall function 009CCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,009F3303,?), ref: 009CCE8A

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 0d7a797a90a6ba3677abd90de4fbd23a1ccf239e852d9205745b970cf6bee3c4
Instruction ID: defd8849449976e9e9f092cd212932272142c060b35875055a589a0dc52837d5
Opcode Fuzzy Hash: 0d7a797a90a6ba3677abd90de4fbd23a1ccf239e852d9205745b970cf6bee3c4
Instruction Fuzzy Hash: 8D514CB5508310AFD710EF24C986A6BBBE8FFC9764F00491DF58997251EB31E904CB92

Function 009F1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009F14C0

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1660bbde7675cf644df188892a1fdfa9b9a58180bddaa2eab1c89c0d8e470f43
Instruction ID: d060bc8dff91b648003ecae3686ddb23b2c65cbacfe28284ae8920612cb2a406
Opcode Fuzzy Hash: 1660bbde7675cf644df188892a1fdfa9b9a58180bddaa2eab1c89c0d8e470f43
Instruction Fuzzy Hash: 97416D3150011CEBDB256BFA9C467BE3AA8EFC5370F244226FA19D62A2E6344C4157F1

Function 00A46278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A462E2
ScreenToClient.USER32(?,?), ref: 00A46315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00A46382

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 2a9c9c3e822009b9b9f2b560e42635c5da6396b76777fd12368a02acd6f390f4
Instruction ID: 00ec86f960e6fac6b180c5f6da15baa932b20d6ec12a8f793789d7075c26a177
Opcode Fuzzy Hash: 2a9c9c3e822009b9b9f2b560e42635c5da6396b76777fd12368a02acd6f390f4
Instruction Fuzzy Hash: 6F516078A00249EFCF14DF68D980AAE7BB5FF86364F108259F8159B290D770ED81CB51

Function 00A31AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00A31AFD
WSAGetLastError.WSOCK32 ref: 00A31B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00A31B8A
WSAGetLastError.WSOCK32 ref: 00A31B94

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 7584dbe1d8093e8bcfd1b3428c293c84a660e2e20f4c221e1931bace265f1697
Instruction ID: 0d88d12bb512d33c69049a729450ed0c46f5a85e8e743771c15766313aba8bd9
Opcode Fuzzy Hash: 7584dbe1d8093e8bcfd1b3428c293c84a660e2e20f4c221e1931bace265f1697
Instruction Fuzzy Hash: 9F41A474600200AFE720AF24C886F6677E5AB84718F54849CF91A9F7D2E772ED42CB91

Function 009EB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac1c5a2022a18cbfbe7c4ded0bffc02f27440766a9c8a05d1ff327a25dd8510
Instruction ID: ce375cae740a60651191d055b55bb2802e657e80d50b63bf09553a12c3325d3b
Opcode Fuzzy Hash: bac1c5a2022a18cbfbe7c4ded0bffc02f27440766a9c8a05d1ff327a25dd8510
Instruction Fuzzy Hash: D941F771A00344AFD7259F79CC41B6BBBA9EBC4720F10852EF556DB6D1E771AD018780

Function 00A256D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00A25783
GetLastError.KERNEL32(?,00000000), ref: 00A257A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00A257CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00A257FA

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 4da534b403f8ce25b0cbc27a2ca69e030574f0d5acbb3710d0ba43ba0fa4b609
Instruction ID: 84238132222613a65d1a9d4b0b128c4be30bcf7296e2645bf76c879711792c44
Opcode Fuzzy Hash: 4da534b403f8ce25b0cbc27a2ca69e030574f0d5acbb3710d0ba43ba0fa4b609
Instruction Fuzzy Hash: 00412C39600610DFCB21EF55C545A5DBBF2AF89320B18C898F84A5B762CB75FD41CB91

Function 009ED8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,009D6D71,00000000,00000000,009D82D9,?,009D82D9,?,00000001,009D6D71,8BE85006,00000001,009D82D9,009D82D9), ref: 009ED910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009ED999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 009ED9AB
__freea.LIBCMT ref: 009ED9B4

Part of subcall function 009E3820: RtlAllocateHeap.NTDLL(00000000,?,00A81444,?,009CFDF5,?,?,009BA976,00000010,00A81440,009B13FC,?,009B13C6,?,009B1129), ref: 009E3852

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 803b0f72866d671ed4824d7aadb5bab2e72ed3bd5c0d3d48fbfee3ae84ecb195
Instruction ID: 745c5637f18baf50d89867e8db2877f8744aef656c2da0f2fd136e880e886203
Opcode Fuzzy Hash: 803b0f72866d671ed4824d7aadb5bab2e72ed3bd5c0d3d48fbfee3ae84ecb195
Instruction Fuzzy Hash: 7F311472A0224AABDF26CF66DC45EAE7BA9EF80310F054169FC04D7251EB35CD51CBA0

Function 00A452C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00A45352
GetWindowLongW.USER32(?,000000F0), ref: 00A45375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A45382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A453A8

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 56ec76d14e758661bf77a909962e730e547cb3ddc7d33c6b277abc5b01ad75a0
Instruction ID: 74ed05ca17233e34bc8237e0f89344eb49d6ac4507a981d39504dc2ccbae0190
Opcode Fuzzy Hash: 56ec76d14e758661bf77a909962e730e547cb3ddc7d33c6b277abc5b01ad75a0
Instruction Fuzzy Hash: 9D31043CE55A08EFEB309F74CC25BE87765AB85390F584001FA108A1E2C3B4BD40DB41

Function 00A1AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00A1ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00A1AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00A1AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00A1ACC6

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1596142ac58837b62df141c6e1902420aec1c290fd5b9701d2565f45454645ae
Instruction ID: 2be210563fd56587a01b95828e4025f216358dce616bebe0bf946cdd6c81e7bf
Opcode Fuzzy Hash: 1596142ac58837b62df141c6e1902420aec1c290fd5b9701d2565f45454645ae
Instruction Fuzzy Hash: CC310630A41718AFEF35CBE58C047FA7BB6ABA9320F04821AE485922D1D37589C587D2

Function 00A47674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00A4769A
GetWindowRect.USER32(?,?), ref: 00A47710
PtInRect.USER32(?,?,00A48B89), ref: 00A47720
MessageBeep.USER32(00000000), ref: 00A4778C

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 5ede575ff101ca538774fe9da8090cdd5da38c2039034660785fcf5ff2bf32fb
Instruction ID: 6bb99820415c559da4a990039674f0451fe9d199c0442b5aabad75c62a776a45
Opcode Fuzzy Hash: 5ede575ff101ca538774fe9da8090cdd5da38c2039034660785fcf5ff2bf32fb
Instruction Fuzzy Hash: 04416B3CA05294DFCB11CFA8C894EADB7F9FF89314F5581A8E8149B261C731A942CF90

Function 00A416DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A416EB

Part of subcall function 00A13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A13A57
Part of subcall function 00A13A3D: GetCurrentThreadId.KERNEL32 ref: 00A13A5E
Part of subcall function 00A13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A125B3), ref: 00A13A65

GetCaretPos.USER32(?), ref: 00A416FF
ClientToScreen.USER32(00000000,?), ref: 00A4174C
GetForegroundWindow.USER32 ref: 00A41752

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 411f3a4067d99645a407ad838be5170d9d88f7591216029214e699bc0ffd27b8
Instruction ID: 40ca208f5c337f18ded862d577274bac51d05bbc8d2f327b1dbf1060139bcb18
Opcode Fuzzy Hash: 411f3a4067d99645a407ad838be5170d9d88f7591216029214e699bc0ffd27b8
Instruction Fuzzy Hash: 85313075D00149AFCB00EFA9C981DEEBBF9EF89314B5480AAE415E7211D7359E45CFA0

Function 00A1DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 009B7620: _wcslen.LIBCMT ref: 009B7625

_wcslen.LIBCMT ref: 00A1DFCB
_wcslen.LIBCMT ref: 00A1DFE2
_wcslen.LIBCMT ref: 00A1E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00A1E018

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: d9766dde6c4a0f01638cef602ac7b8647b91b585385a726cd3275f3741e0322e
Instruction ID: fc6f9e3e66c1f64474cde61b8667818b34860b746863909a665d22c02d45112a
Opcode Fuzzy Hash: d9766dde6c4a0f01638cef602ac7b8647b91b585385a726cd3275f3741e0322e
Instruction Fuzzy Hash: 6C218175D40214EFCB20DFA8D981BAEB7F8EF89760F158065E805BB385D6709E41CBA1

Function 00A48FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009C9BB2

GetCursorPos.USER32(?), ref: 00A49001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00A07711,?,?,?,?,?), ref: 00A49016
GetCursorPos.USER32(?), ref: 00A4905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00A07711,?,?,?), ref: 00A49094

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 9d9901ebbb4bdf7feb9cccec6597d7fd14a071433b961f4a0c26cab188fc188f
Instruction ID: 24680dcd67c59b10be8b4adbc68564f3f60f4cbb99df8fce3fab0cbd3ae54873
Opcode Fuzzy Hash: 9d9901ebbb4bdf7feb9cccec6597d7fd14a071433b961f4a0c26cab188fc188f
Instruction Fuzzy Hash: C9219F39601018EFDB25CF94C859EEB7BB9EBCA360F044059F90547261C7369D61DB61

Function 00A1D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00A4CB68), ref: 00A1D2FB
GetLastError.KERNEL32 ref: 00A1D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A1D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00A4CB68), ref: 00A1D376

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: f2c15304358d3c3fc078a20ea21cd30e6049e806295fd7ce734604f04ce76d6f
Instruction ID: 2c6e3ce1d6c991e6b0aee4fc83a8770fcd8002d7d2fd8f6330946a5953501711
Opcode Fuzzy Hash: f2c15304358d3c3fc078a20ea21cd30e6049e806295fd7ce734604f04ce76d6f
Instruction Fuzzy Hash: E921A3745052019FC710EF64C9814EA77E8EF96364F104A1DF4A9DB2A1E731D986CB93

Function 00A11571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A11014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A1102A
Part of subcall function 00A11014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A11036
Part of subcall function 00A11014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A11045
Part of subcall function 00A11014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A1104C
Part of subcall function 00A11014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A11062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00A115BE
_memcmp.LIBVCRUNTIME ref: 00A115E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A11617
HeapFree.KERNEL32(00000000), ref: 00A1161E

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: cb3e459ffa123ccc3702b77acf2e3db870709e7d2b1c77f9ee64600cfc837feb
Instruction ID: ab7a46f730d071c422371d39829e64c3dda871d6020721b5f4a395971aa852dd
Opcode Fuzzy Hash: cb3e459ffa123ccc3702b77acf2e3db870709e7d2b1c77f9ee64600cfc837feb
Instruction Fuzzy Hash: 0521BE32E01108EFDF00DFA4C945BEEB7B9EF84354F088459E555AB241E732AE85CBA0

Function 00A42782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00A4280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A42824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A42832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00A42840

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 48443d43349b9d80bf1bbe86a26e330e0271485577e77892e5cf194c100e062b
Instruction ID: df565ecdf9be4695c273b29b777750f081dad1a3f9c28a63c8d8f51d2105bf97
Opcode Fuzzy Hash: 48443d43349b9d80bf1bbe86a26e330e0271485577e77892e5cf194c100e062b
Instruction Fuzzy Hash: 8F21B339205511AFD714DB24C845FAA7BA9AFC6324F548158F42A8B6E2CB71FC42CB91

Function 00A178F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A18D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00A1790A,?,000000FF,?,00A18754,00000000,?,0000001C,?,?), ref: 00A18D8C
Part of subcall function 00A18D7D: lstrcpyW.KERNEL32(00000000,?,?,00A1790A,?,000000FF,?,00A18754,00000000,?,0000001C,?,?,00000000), ref: 00A18DB2
Part of subcall function 00A18D7D: lstrcmpiW.KERNEL32(00000000,?,00A1790A,?,000000FF,?,00A18754,00000000,?,0000001C,?,?), ref: 00A18DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00A18754,00000000,?,0000001C,?,?,00000000), ref: 00A17923
lstrcpyW.KERNEL32(00000000,?,?,00A18754,00000000,?,0000001C,?,?,00000000), ref: 00A17949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00A18754,00000000,?,0000001C,?,?,00000000), ref: 00A17984

Strings

cdecl, xrefs: 00A1797B

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 954c141ad976357149247a06720b919bc6f885a9b41d1b90cc22a089bb13637f
Instruction ID: 634ce63f7dec0d0d201bff25a39d23aa3e07dbf2dcab3f3c7b2b859114e9a99b
Opcode Fuzzy Hash: 954c141ad976357149247a06720b919bc6f885a9b41d1b90cc22a089bb13637f
Instruction Fuzzy Hash: F911E93E201301ABCB159F38DC45EBE77B5FF85350B50902AF946C72A5EB319855C791

Function 00A47CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00A47D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00A47D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A47D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A2B7AD,00000000), ref: 00A47D6B

Part of subcall function 009C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009C9BB2

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: c46ff1bc8caadf91773b4b4658cbddcbab48bd61e96e586e6ca63d947ebc5c25
Instruction ID: eee6a734a424e7721894c59a532a7de25c0fdd37e1f46cee9b57fdf8f47efa39
Opcode Fuzzy Hash: c46ff1bc8caadf91773b4b4658cbddcbab48bd61e96e586e6ca63d947ebc5c25
Instruction Fuzzy Hash: 7E11AF39A15655AFCB10DF68CC04AAA3BA9AF86370B158724F839D72F0E7319D52CB50

Function 00A45660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00A456BB
_wcslen.LIBCMT ref: 00A456CD
_wcslen.LIBCMT ref: 00A456D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A45816

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 110f65ba45a8a9fd12cb5b6a12b4fc0379e928c567e3ca708eb2aae9edf1f681
Instruction ID: 9872ffa14c442fd4952d33201a9373317dc8b094eca9ad00e8384652fbf637fd
Opcode Fuzzy Hash: 110f65ba45a8a9fd12cb5b6a12b4fc0379e928c567e3ca708eb2aae9edf1f681
Instruction Fuzzy Hash: 2E11B479E00604A7DB20DFB1CC85AEE777CAF91760B148026F915DA182E7748985CB60

Function 009E1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f726decd7150f4140776eb97147a57d73a1500ba3c8680eae026fa16157b2a
Instruction ID: 5cd0cf99f50de6d861e84386387ed5779d1ab6db4f42ee5bef423537aa92459d
Opcode Fuzzy Hash: 91f726decd7150f4140776eb97147a57d73a1500ba3c8680eae026fa16157b2a
Instruction Fuzzy Hash: AC01A2B220A69A3FF61216BA6CC1F67671CDF817B8B310725F521511D2DB758C804160

Function 00A11A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00A11A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A11A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A11A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A11A8A

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8fd78ee57d60459f3862c7035c3614f7045888a7883b113b5ecea8432a24a209
Instruction ID: 79bb8396e1917395f9419c0255815e0208b2d311091e2486bd76c45134988d3f
Opcode Fuzzy Hash: 8fd78ee57d60459f3862c7035c3614f7045888a7883b113b5ecea8432a24a209
Instruction Fuzzy Hash: F411F73A901219FFEB11DBA5C985FEDBB79EF08750F200091EA04B7290D6716E51DB94

Function 00A1E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A1E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00A1E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00A1E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00A1E24D

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 72e170f4f58e230a7ab5ef3761727d05be45208bd1444bb01a4db61190280735
Instruction ID: e17b9e9ec3a481792a19166aa1a9161d8524a7c88ff6d6e0e942d2231e8f9884
Opcode Fuzzy Hash: 72e170f4f58e230a7ab5ef3761727d05be45208bd1444bb01a4db61190280735
Instruction Fuzzy Hash: EE112B7AA04254BBCB01DFE89C05ADE7FACEB86320F004215FD24D7291D2B1CD0187A0

Function 009DD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,009DCFF9,00000000,00000004,00000000), ref: 009DD218
GetLastError.KERNEL32 ref: 009DD224
__dosmaperr.LIBCMT ref: 009DD22B
ResumeThread.KERNEL32(00000000), ref: 009DD249

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 84df02415032430b62fcfe8a12bc383a7f26a92eb758f03b7c7ffbc8937f284b
Instruction ID: e94cb1069bc76fd1bc213fb84f27d89705b2b8bb854320afece0098f5e3562c1
Opcode Fuzzy Hash: 84df02415032430b62fcfe8a12bc383a7f26a92eb758f03b7c7ffbc8937f284b
Instruction Fuzzy Hash: FF01D63A4461047BC7115BE5DC06BAA7A6DDFC2730F10821AFA35963D0CB719901C6A0

Function 00A49EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 009C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009C9BB2

GetClientRect.USER32(?,?), ref: 00A49F31
GetCursorPos.USER32(?), ref: 00A49F3B
ScreenToClient.USER32(?,?), ref: 00A49F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00A49F7A

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 8010aaba86e65b99b789df7a18f591e7f17ab6324c10630ce1ed5604d1580d59
Instruction ID: 1c03dfcd48bd6088ed1af06775472584ddc81860f764c65d4dc399b80652db70
Opcode Fuzzy Hash: 8010aaba86e65b99b789df7a18f591e7f17ab6324c10630ce1ed5604d1580d59
Instruction Fuzzy Hash: 79115A3A90111AABDB00DFA8D889DEF77B8FB86311F000455F901E3140D731BE96CBA1

Function 009B600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009B604C
GetStockObject.GDI32(00000011), ref: 009B6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 009B606A

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 395922a9d3062a47791aa5dd4a7e016d04866ac4e72035b4534ca770101e0f0e
Instruction ID: ae013ecffef3d56e6091a5df8b8377cb86104bb42511606f79ce5d9ed8fc863f
Opcode Fuzzy Hash: 395922a9d3062a47791aa5dd4a7e016d04866ac4e72035b4534ca770101e0f0e
Instruction Fuzzy Hash: 90116D76502508BFEF129FA69D44EFABB6DEF493B4F040215FA1452120D73AAC61DBA0

Function 009D3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 009D3B56

Part of subcall function 009D3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 009D3AD2
Part of subcall function 009D3AA3: ___AdjustPointer.LIBCMT ref: 009D3AED

_UnwindNestedFrames.LIBCMT ref: 009D3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 009D3B7C
CallCatchBlock.LIBVCRUNTIME ref: 009D3BA4

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: efeafba9a223bf3202f0af9dbbeb1a88ada8e15878eda1fb346f41440ee17b5f
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 5F012932140148BBDF125F95CC46EEB3B6DEF98795F04C01AFE4866221C736E961EBA1

Function 009E3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,009B13C6,00000000,00000000,?,009E301A,009B13C6,00000000,00000000,00000000,?,009E328B,00000006,FlsSetValue), ref: 009E30A5
GetLastError.KERNEL32(?,009E301A,009B13C6,00000000,00000000,00000000,?,009E328B,00000006,FlsSetValue,00A52290,FlsSetValue,00000000,00000364,?,009E2E46), ref: 009E30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,009E301A,009B13C6,00000000,00000000,00000000,?,009E328B,00000006,FlsSetValue,00A52290,FlsSetValue,00000000), ref: 009E30BF

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 64b0d3e7573ea4fdb8b193d01b54776df7645eec7f24f935aefdccd08cc295cc
Instruction ID: 625fa0cb31d42fdbb00e9c43b3c91e8e58f627ea8418ea786a41bb87266eb58e
Opcode Fuzzy Hash: 64b0d3e7573ea4fdb8b193d01b54776df7645eec7f24f935aefdccd08cc295cc
Instruction Fuzzy Hash: 6C01AC3A702262ABCB72CBBADC48A67779CAF85772B118620F909D7150D726DD02C6D0

Function 00A17464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00A1747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00A17497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00A174AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00A174CA

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: bbbca1638cc1149569c24f77b2d2ec1c0d39939f0922cfab24cb2a6b90b45246
Instruction ID: 7481f1152e0df6a2598ff158788fe5f07edb4e73e7f8c2068891a248e7673db4
Opcode Fuzzy Hash: bbbca1638cc1149569c24f77b2d2ec1c0d39939f0922cfab24cb2a6b90b45246
Instruction Fuzzy Hash: 2F11A1B92063109BE720CF58DD08BD67BFCEB40B10F108569A65AD6151D7B1E984DB50

Function 00A1B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00A1ACD3,?,00008000), ref: 00A1B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A1ACD3,?,00008000), ref: 00A1B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00A1ACD3,?,00008000), ref: 00A1B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A1ACD3,?,00008000), ref: 00A1B126

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 0c56c361b80aacbf4dd130c551cf16bf4de73357b13ebd8787cbaa80b8e6b744
Instruction ID: f730f15d2d23b5ac1b73b2008c85b1e8dd7dedf370b89cc9bda89c73b1760f2b
Opcode Fuzzy Hash: 0c56c361b80aacbf4dd130c551cf16bf4de73357b13ebd8787cbaa80b8e6b744
Instruction Fuzzy Hash: 4A116D35C1252CE7CF00EFE8E958AEEBB78FF4A721F114285D955B2181CB3056918B61

Function 00A47E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A47E33
ScreenToClient.USER32(?,?), ref: 00A47E4B
ScreenToClient.USER32(?,?), ref: 00A47E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A47E8A

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: a3f50037a295b56d7ee7e4ff01dfc5ad527bfe31e869e8bdc6e9b97c8445be84
Instruction ID: 362c57ffa871067efe94b6a896498f96f5e80cab7d03d5f0145c6cea8221d985
Opcode Fuzzy Hash: a3f50037a295b56d7ee7e4ff01dfc5ad527bfe31e869e8bdc6e9b97c8445be84
Instruction Fuzzy Hash: 701153B9D0024AAFDB41CF98C884AEEBBF9FF49310F509166E915E3210D735AA55CF90

Function 00A12DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A12DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A12DD6
GetCurrentThreadId.KERNEL32 ref: 00A12DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00A12DE4

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 99fe0b9ac33c4a5770fbaef0092544752c3fb98607f41c2798dba33bbe0f6bc4
Instruction ID: 7ee4519f2a5bdd80175a81fe3c3cb46f726deac7d17966925d836200fd1d988f
Opcode Fuzzy Hash: 99fe0b9ac33c4a5770fbaef0092544752c3fb98607f41c2798dba33bbe0f6bc4
Instruction Fuzzy Hash: 98E0657910222476D72057A2EC0DFE77E6CEB83B71F015115B109D10809A91C581C6B0

Function 00A48863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 009C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009C9693
Part of subcall function 009C9639: SelectObject.GDI32(?,00000000), ref: 009C96A2
Part of subcall function 009C9639: BeginPath.GDI32(?), ref: 009C96B9
Part of subcall function 009C9639: SelectObject.GDI32(?,00000000), ref: 009C96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00A48887
LineTo.GDI32(?,?,?), ref: 00A48894
EndPath.GDI32(?), ref: 00A488A4
StrokePath.GDI32(?), ref: 00A488B2

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 8c37ab771a0ba6b3588965163bdc5de43baf43e6c12bffa8f098fe27f23a6e19
Instruction ID: 4fab8d60b8327cdb4b54b2dabe073eb12e6eee9fb1fe44a8593dd6c5bfb6c29d
Opcode Fuzzy Hash: 8c37ab771a0ba6b3588965163bdc5de43baf43e6c12bffa8f098fe27f23a6e19
Instruction Fuzzy Hash: 11F03A3E042258FADB529FD4AC09FCE3A59AF86321F448100FA15650E2C77A5512CBA9

Function 009C98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009C98CC
SetTextColor.GDI32(?,?), ref: 009C98D6
SetBkMode.GDI32(?,00000001), ref: 009C98E9
GetStockObject.GDI32(00000005), ref: 009C98F1

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: b11c034ddbe653d5f1b245f913fa27bafc991ed79df30b7441957b80752d5931
Instruction ID: 162a82e8daa6ede6190fe9236bb22580087df5b2b8bb75086a98eeb2abac5c22
Opcode Fuzzy Hash: b11c034ddbe653d5f1b245f913fa27bafc991ed79df30b7441957b80752d5931
Instruction Fuzzy Hash: D8E06D39645284AAEB619BB8BC09BEC3F20AB56336F048319F6FA580E1C77256519B11

Function 00A1162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00A11634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00A111D9), ref: 00A1163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00A111D9), ref: 00A11648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00A111D9), ref: 00A1164F

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: bd99d68f3351e424947f511f57db52efa2fc5d0c53aa1e709592cb333a3f4a3c
Instruction ID: a477400056b62a01b071a6deabac6d239a8186323c1210b8a0d5aa06ffcc1578
Opcode Fuzzy Hash: bd99d68f3351e424947f511f57db52efa2fc5d0c53aa1e709592cb333a3f4a3c
Instruction Fuzzy Hash: 13E04F396022119BD7A05FE09D0DB863B68AF867A5F144808F249C9090D66645828B50

Function 00A0D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A0D858
GetDC.USER32(00000000), ref: 00A0D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A0D882
ReleaseDC.USER32(?), ref: 00A0D8A3

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 0b1237c8fe1e3f9f3d31c256174f3a1b29af7007e1569448710b0a78c2d75dbc
Instruction ID: e815777dbcda3646409084f94b50e07d536a0443ea623feaa920636907971dc5
Opcode Fuzzy Hash: 0b1237c8fe1e3f9f3d31c256174f3a1b29af7007e1569448710b0a78c2d75dbc
Instruction Fuzzy Hash: 7BE0E5B9801204DFCB81DFE09908A6DFBB1AB89320B119459F80AA7260C7398902AF40

Function 00A0D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A0D86C
GetDC.USER32(00000000), ref: 00A0D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A0D882
ReleaseDC.USER32(?), ref: 00A0D8A3

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5f10a7e553e775acf29f712ce0f33a062e935720e690e062fe8f69eeb1285bf4
Instruction ID: 1cbfc5d2239b37936a4710c02b80a7ce4678408ecc8007d48e323acfdaf894f6
Opcode Fuzzy Hash: 5f10a7e553e775acf29f712ce0f33a062e935720e690e062fe8f69eeb1285bf4
Instruction Fuzzy Hash: 19E01AB8C01204DFCB90DFE0D80866DFBB1BB89320B119448F80AE7260C73959029F40

Function 00A24D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 009B7620: _wcslen.LIBCMT ref: 009B7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00A24ED4

Strings

*, xrefs: 00A24E10
LPT, xrefs: 00A24DFB

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: f25cda94c94643da480e244f518798df30eabf22611d2c419ffc6682bffdd989
Instruction ID: d90b77a950fe62da5b50b611e9fce61a92b6670c54b484c7556b3c31695dd416
Opcode Fuzzy Hash: f25cda94c94643da480e244f518798df30eabf22611d2c419ffc6682bffdd989
Instruction Fuzzy Hash: C191A375A00214DFDB14DF58D584EA9BBF1BF88714F1980A9E80A9F3A2C731ED85CB91

Function 009DE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 009DE30D

Strings

pow, xrefs: 009DE2E5, 009DE302

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 8c8d7aeae6da4938ff5cb6520705962fcea582c1301332bd887e2c58c53be5ac
Instruction ID: 02d304cf66779eabb628d4cb8cfac3092cdaf4c7ed33e82efa70c5ad8044af05
Opcode Fuzzy Hash: 8c8d7aeae6da4938ff5cb6520705962fcea582c1301332bd887e2c58c53be5ac
Instruction Fuzzy Hash: C4516B71A4C24296CB17B795CD01379BBACAB40741F30CD9AE0D54A3F9EB348CD69A87

Function 009CE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 009CE1B1

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: b9fa053aa1c4cf895aa10839a06cd00f00926fb050b462f6b090098b11fd613d
Instruction ID: 709cb9212019ac238dab1276caf290e5f5d207c3c55515b922a1ad6c32255148
Opcode Fuzzy Hash: b9fa053aa1c4cf895aa10839a06cd00f00926fb050b462f6b090098b11fd613d
Instruction Fuzzy Hash: 28515735A0434ADFDB15DF68D081BFA7BA8EF55310F248459ECA29B2C0D7349D42EBA1

Function 009CF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 009CF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 009CF2BB

Strings

@, xrefs: 009CF2AF

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 0feca919dbaa286e7f99a76c3441b440aa062328ba2859e2e59fa1d63758a3b2
Instruction ID: a73c36e2c6d5ab3a02bca9eedde63069afd373dac21b6bae4cff3934455fc843
Opcode Fuzzy Hash: 0feca919dbaa286e7f99a76c3441b440aa062328ba2859e2e59fa1d63758a3b2
Instruction Fuzzy Hash: AB5153724087489BD320EF50DD86BABBBF8FBC4310F81884DF1D9811A5EB708529CB66

Function 00A35745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00A357E0
_wcslen.LIBCMT ref: 00A357EC

Strings

CALLARGARRAY, xrefs: 00A357E6, 00A357EB

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 13232fa8da2ccf60e743257168d59eb79e3cc1b2ed9ffd124eaa5faa87713838
Instruction ID: 0ec08099ed3f4fee397a1bb5c36983e520f3b1646116cd397360bcc423b35294
Opcode Fuzzy Hash: 13232fa8da2ccf60e743257168d59eb79e3cc1b2ed9ffd124eaa5faa87713838
Instruction Fuzzy Hash: E9418E71E002099FCB14DFB9C9829EEBBB5EF99360F108069F505A7251E7309D81DBA0

Function 00A2D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A2D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00A2D13A

Strings

|, xrefs: 00A2D10B

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 6a1b19e7ccff360c28ccee59ecaf1cf8fccadd111ca59d1e9dac4779df7d4525
Instruction ID: d83eb9ded87785d7e2e48ec78c190385185e2623410646fb936f734869e271f0
Opcode Fuzzy Hash: 6a1b19e7ccff360c28ccee59ecaf1cf8fccadd111ca59d1e9dac4779df7d4525
Instruction Fuzzy Hash: 92315E71D00219AFCF11EFA4DD85AEEBFB9FF45310F100029F815A61A2E735AA16CB50

Function 00A4356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00A43621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A4365C

Strings

static, xrefs: 00A435BC

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 48b8ddbaf961bf1823cd0ae790299c6ce8cb55ca077b451965db9cccd906af0f
Instruction ID: 2e65df2ea6c2085cc728050d30a6e2bb8a5c8849438ae573bbe106028f8f3797
Opcode Fuzzy Hash: 48b8ddbaf961bf1823cd0ae790299c6ce8cb55ca077b451965db9cccd906af0f
Instruction Fuzzy Hash: CA318F76100204AEDB10DF68DC81FFB73A9FF88720F119619F8A597280DB35AD91C760

Function 00A44537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00A4461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A44634

Strings

', xrefs: 00A4458E

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 6ab61a07d3996891ce4be27d9fd9af57bc0e7c0224527245efa869764f8b5bc9
Instruction ID: 9cec0775739cca467e396b1cf1fa98ed01cf1089edcd71088262f932956702ba
Opcode Fuzzy Hash: 6ab61a07d3996891ce4be27d9fd9af57bc0e7c0224527245efa869764f8b5bc9
Instruction Fuzzy Hash: F3312A78A013099FDF14CFA9C991BDABBB5FF89300F15406AE905AB351E770A941CF90

Function 00A431EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A4327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A43287

Strings

Combobox, xrefs: 00A43249

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 392fbe23f08cf2fe7d2bcf51226c51756fd49d10ddafa02760163fb31500413a
Instruction ID: 631ebc02da9cbc93e17764b4bd3dae5a3e47a55bb722b38d426341d302152c82
Opcode Fuzzy Hash: 392fbe23f08cf2fe7d2bcf51226c51756fd49d10ddafa02760163fb31500413a
Instruction Fuzzy Hash: 7511B2763002087FFF259F94DC81EFB376AEBE4364F104225F91897290D6B59D518760

Function 00A43710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 009B600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009B604C
Part of subcall function 009B600E: GetStockObject.GDI32(00000011), ref: 009B6060
Part of subcall function 009B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 009B606A

GetWindowRect.USER32(00000000,?), ref: 00A4377A
GetSysColor.USER32(00000012), ref: 00A43794

Strings

static, xrefs: 00A43757

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: f0d0f4b4971d4cd7988b214cd1c86fb001e6498bde6e23b69ff5d32721fc5aca
Instruction ID: cdd8c7535b9ccbcc8eb4dae69c935596717e964fae2d3bde9556cfd7dfb2a64a
Opcode Fuzzy Hash: f0d0f4b4971d4cd7988b214cd1c86fb001e6498bde6e23b69ff5d32721fc5aca
Instruction Fuzzy Hash: CF1126B6610209AFDF00DFA8CC46AEA7BB8FB49314F004915F996E2250E775E8519B60

Function 00A2CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A2CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00A2CDA6

Strings

<local>, xrefs: 00A2CD66

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 1efc01fc6cc0ceb891fd29dee5cb8aab8efd766332576ee89bfaf54b46992c46
Instruction ID: 85619dcb39e7c0c33d37e74dff43339a489ccc80687a611344b262b4a33c5c51
Opcode Fuzzy Hash: 1efc01fc6cc0ceb891fd29dee5cb8aab8efd766332576ee89bfaf54b46992c46
Instruction Fuzzy Hash: 8A11C6752056317AD7384B6A9C45FEBBE6CEF527B4F004636B10983080D7759945D6F0

Function 00A43429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00A434AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A434BA

Strings

edit, xrefs: 00A4348F

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 9eadee56f761c5e5a4db96d912b8bc5ac84bab72661e93e3feb67fdd88284542
Instruction ID: 45ccf9f9c13a64a9394ba790e036f85d6cc27f4d835df624414e722b4c2304e1
Opcode Fuzzy Hash: 9eadee56f761c5e5a4db96d912b8bc5ac84bab72661e93e3feb67fdd88284542
Instruction Fuzzy Hash: AE11BF7A100108ABEF118FA4DC40AFB376AEB95775F504324F965931D0C775DC519750

Function 00A16C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00A16CB6
_wcslen.LIBCMT ref: 00A16CC2

Strings

STOP, xrefs: 00A16CBC, 00A16CC1

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 4bf361885dbfb8f3887316e9ece157b5daaa74c528a090377e6d0516b3c61bb4
Instruction ID: e65fc4f4fb4f2aadbf9fb5fc4b25fee522f65329d22a1f56d8df888c966ead33
Opcode Fuzzy Hash: 4bf361885dbfb8f3887316e9ece157b5daaa74c528a090377e6d0516b3c61bb4
Instruction Fuzzy Hash: 5401D232A109268BCB20AFFDDC809FF77B5EBA57247500928E862D7190EB31D980C790

Function 00A11CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

Part of subcall function 00A13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A13CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00A11D4C

Strings

ListBox, xrefs: 00A11D16
ComboBox, xrefs: 00A11CEB

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 230632b4b9944f395b252bcb67f0ed65be8548e4cf2cc813fb9bf058f911f28b
Instruction ID: 54299ebdb578a30ce49ca306d516eeadf641de01a9c4e9d8a550fc9b7b796c16
Opcode Fuzzy Hash: 230632b4b9944f395b252bcb67f0ed65be8548e4cf2cc813fb9bf058f911f28b
Instruction Fuzzy Hash: BE012435A01218ABCF08EFA0DE51DFE77B8FB82360B144A09F966672C1EA305948C660

Function 00A11BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

Part of subcall function 00A13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A13CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00A11C46

Strings

ListBox, xrefs: 00A11C10
ComboBox, xrefs: 00A11BE5

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 23ca614a136caf646e70fa23202ac3bc0393919aaa82add4e8c4aade125d8dcc
Instruction ID: fc4330553687b2c134a92f6836769fbfd46201af45884af30d32cca8462dfcac
Opcode Fuzzy Hash: 23ca614a136caf646e70fa23202ac3bc0393919aaa82add4e8c4aade125d8dcc
Instruction Fuzzy Hash: D801A775B9110867CF04EBA0CE51AFF77A89B51350F144019AA0A67281EA649E4C86F1

Function 00A11C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

Part of subcall function 00A13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A13CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00A11CC8

Strings

ListBox, xrefs: 00A11C94
ComboBox, xrefs: 00A11C69

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 154bcd7ea24c9249d2ee7dc90f2fdc1a94d3f823acfd08f144531d548168dfb6
Instruction ID: ae71cef6ff51407cb21d824237dcc1e14b4571d2426a6c31866ed1daf4e3003e
Opcode Fuzzy Hash: 154bcd7ea24c9249d2ee7dc90f2fdc1a94d3f823acfd08f144531d548168dfb6
Instruction Fuzzy Hash: D701D675A8111867CF04EBA0CF41BFF77A8AB52350F144415BA0A73281FA619F58C6F1

Function 00A11D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B9CB3: _wcslen.LIBCMT ref: 009B9CBD

Part of subcall function 00A13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A13CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00A11DD3

Strings

ListBox, xrefs: 00A11DA0
ComboBox, xrefs: 00A11D75

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f9ff66f5c13069358b93840fa036beaaa5b4a2e1a4e3167b5c952d0543d1b1f1
Instruction ID: 7764c3c92f2fab6df63bc1a278eed947feea479d13a4385efbf0f0e3b251e578
Opcode Fuzzy Hash: f9ff66f5c13069358b93840fa036beaaa5b4a2e1a4e3167b5c952d0543d1b1f1
Instruction Fuzzy Hash: F6F02871B5121867CB04FBA4DE92FFF77B8AB42360F040D19FA27632C1EA60590C82A0

Function 00A3747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A37493
_wcslen.LIBCMT ref: 00A374B9

Strings

3, 3, 16, 1, xrefs: 00A37483

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: b4c81c63c0aabb2cad1d532beeb947ff5ff8580ef4c3722a27da9fd2bc636320
Instruction ID: 4672981f01e134dfe2688238dffdacb4b5227657a0e756fa1d8d359ff1b6778a
Opcode Fuzzy Hash: b4c81c63c0aabb2cad1d532beeb947ff5ff8580ef4c3722a27da9fd2bc636320
Instruction Fuzzy Hash: 9BE06142344320229331137BDDC1B7F5689DFC9BD0B10582BF9C5C6366FAA4DD9193A1

Function 00A10B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00A10B23

Strings

AutoIt, xrefs: 00A10B17
Error allocating memory., xrefs: 00A10B1C

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: ae98f79e2eecfaa1c479330f992bf8ff2f6d87079dc7884498cd58871c03dbc0
Instruction ID: 5791e818c8b51bf527171338d6acbf84f65fb3c1f544ea7b4911616b7e857e4b
Opcode Fuzzy Hash: ae98f79e2eecfaa1c479330f992bf8ff2f6d87079dc7884498cd58871c03dbc0
Instruction Fuzzy Hash: 77E0D83528931837D21037947C43FC97B849F45B30F10482AF78C955C38BE2249006E9

Function 009D0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 009CF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,009D0D71,?,?,?,009B100A), ref: 009CF7CE

IsDebuggerPresent.KERNEL32(?,?,?,009B100A), ref: 009D0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,009B100A), ref: 009D0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 009D0D7F

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 2cf5d7524bce79cb4be474b91fc81ec6592277b099f28f2c29355aeddec36b04
Instruction ID: 696e9c31dfe7de049e7599a26aa6ec57fe490129fc1037681e827f419a9a0e96
Opcode Fuzzy Hash: 2cf5d7524bce79cb4be474b91fc81ec6592277b099f28f2c29355aeddec36b04
Instruction Fuzzy Hash: 94E039782003018BD360AFA8E4057867BE5AB84751F00892EE486C6691DBF1E4458BA1

Function 00A23017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00A2302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00A23044

Strings

aut, xrefs: 00A23038

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 88d3e07f1f572c0789bf87c339e0f8242da87b7e73227dbeb766c6fcbfc9e96e
Instruction ID: 0a6ddb0560e92d990b5d84f8f774a115d993124a84ca7ed5731ab8ba2ceb8aec
Opcode Fuzzy Hash: 88d3e07f1f572c0789bf87c339e0f8242da87b7e73227dbeb766c6fcbfc9e96e
Instruction Fuzzy Hash: 85D05E7A50132877DA60E7E4AC0EFCB3A6CDB45760F0006A1B659E2091DAF19985CAD4

Function 00A0D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A0D220

Strings

X64, xrefs: 00A0D2A8
%.3d, xrefs: 00A0D22B

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 8f661e410d7ddeee5ef0f30240967cb81e096b3dcc52101b095df3b76ac85cba
Instruction ID: 6eadc8c9542c32497f64e4d1f3b5f89d245567a60a3032a1310f2e6a35a989c8
Opcode Fuzzy Hash: 8f661e410d7ddeee5ef0f30240967cb81e096b3dcc52101b095df3b76ac85cba
Instruction Fuzzy Hash: A9D012B6C0911CFACB90D6D0EC45DF9B37CBB4C301F508466F80EA1080D724C5086B62

Function 00A42322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A4232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00A4233F

Part of subcall function 00A1E97B: Sleep.KERNEL32 ref: 00A1E9F3

Strings

Shell_TrayWnd, xrefs: 00A42325

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 13bd036a8caa20f7932ea89ec5c87e6c9334d0d8a7df461ef9822e5855ec82d7
Instruction ID: e505d675e06fc7a03e0f8deac91574c9e8f849371f678fdbe2431f14f0d340cf
Opcode Fuzzy Hash: 13bd036a8caa20f7932ea89ec5c87e6c9334d0d8a7df461ef9822e5855ec82d7
Instruction Fuzzy Hash: 65D0A73938130076D1A4E3709C0FFC6A5145B40710F0089017749A50D0C4A464018A00

Function 00A42356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A4236C
PostMessageW.USER32(00000000), ref: 00A42373

Part of subcall function 00A1E97B: Sleep.KERNEL32 ref: 00A1E9F3

Strings

Shell_TrayWnd, xrefs: 00A42365

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f3a44eb8adfdfbcb1824f0c2893e536d7e03f769c312a17e6f95b96dc648b6ce
Instruction ID: aafd41fc7c069f8b2bb321e6d04880a53440b4d71dd9474fad53ff9fdce44fc5
Opcode Fuzzy Hash: f3a44eb8adfdfbcb1824f0c2893e536d7e03f769c312a17e6f95b96dc648b6ce
Instruction Fuzzy Hash: 88D0A7393C130076E1A4E3709C0FFC6A5145741710F0089017749A50D0C4A464018A04

Function 009EBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 009EBE93
GetLastError.KERNEL32 ref: 009EBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009EBEFC

Memory Dump Source

Source File: 00000000.00000002.1810321689.00000000009B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true

Associated: 00000000.00000002.1810243803.00000000009B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810549985.0000000000A72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810870398.0000000000A7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1810912854.0000000000A84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 222b0109452291e52b937a8464715401b2c75a46a985e5698cd88328b3a54498
Instruction ID: fa8ab3dce66c720bfa1a8b633ff01598bb6ebece6abfef19c5fc4cfbccb700d9
Opcode Fuzzy Hash: 222b0109452291e52b937a8464715401b2c75a46a985e5698cd88328b3a54498
Instruction Fuzzy Hash: C6410B34601286AFCF229FA6CC54BBBBBA8DF41320F14456DF959571A1DB318D01CB90

Analysis Process: firefox.exePID: 3220, Parent PID: 3848COMMON

Executed Functions

Function 0000011CDE02FCD9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000003.1956393965.0000011CDE028000.00000020.00000800.00020000.00000000.sdmp, Offset: 0000011CDE028000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_11cde028000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: becb8396f7a96a9164882e7b0eb538ab454f5d44393d77c2868e388fe6707567
Instruction ID: 5dd2d7dc26a94f692280accd66e82a302b0fa68a057975c8079e9630682c0d07
Opcode Fuzzy Hash: becb8396f7a96a9164882e7b0eb538ab454f5d44393d77c2868e388fe6707567
Instruction Fuzzy Hash: B621BA7161890DAFDF88EB98C458B98F7B6FB6C311F26015AE01DE3251CB71B851CB51

Function 0000011CDE0298FD Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000003.1956393965.0000011CDE028000.00000020.00000800.00020000.00000000.sdmp, Offset: 0000011CDE028000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_11cde028000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a87ec9e446629f66919546d57a5239d6718e6e9399380a1ac0942ec86a235b
Instruction ID: 9a0a9652ee7fa5991ae5f0a3b810d34353786ae01062e43058c24fb2ddd80df9
Opcode Fuzzy Hash: 53a87ec9e446629f66919546d57a5239d6718e6e9399380a1ac0942ec86a235b
Instruction Fuzzy Hash: CC21283145CF554FEF1A4BB8A851BE63BE0EB0A314F9502AAD64D8B0C3C5219C51EBD2

Function 0000011CDE029930 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000003.1956393965.0000011CDE028000.00000020.00000800.00020000.00000000.sdmp, Offset: 0000011CDE028000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_11cde028000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba51ab5c3727462fc78528db1ed9ea5b3ba0717a4f5df73917285149e1791b28
Instruction ID: deee7530e4858bb30b84d2c5ee8adf859cf8c8a5dc275967dbaef75725897622
Opcode Fuzzy Hash: ba51ab5c3727462fc78528db1ed9ea5b3ba0717a4f5df73917285149e1791b28
Instruction Fuzzy Hash: 40112B7144CF254AFF2A4BAC6851BD637E0EB1A314F9502ABDA0CCB1C3D5219C91EBD2

Function 0000011CDE029911 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000003.1956393965.0000011CDE028000.00000020.00000800.00020000.00000000.sdmp, Offset: 0000011CDE028000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_11cde028000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96303fc11c68bf5d172b6af3fab0c40b10390ab3342b60931ce89727155ab2de
Instruction ID: 263bb5cb1df6037d42f8bc4f919914464d40421c25318e4fcd52fd109a21f041
Opcode Fuzzy Hash: 96303fc11c68bf5d172b6af3fab0c40b10390ab3342b60931ce89727155ab2de
Instruction Fuzzy Hash: 92112C7144CF254AEF2A4BAC68517D277D0DB09314F9502AFDA0C871C3D522AC51EAD2

Analysis Process: firefox.exePID: 7428, Parent PID: 3220COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000001B1397F9972 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000001B1397F99D7

Strings

A, xrefs: 000001B1397F99CF
z, xrefs: 000001B1397F9A0B
>, xrefs: 000001B1397F9A39
4, xrefs: 000001B1397FDA59
#, xrefs: 000001B1397F9A02
>, xrefs: 000001B1397FDA7F
#, xrefs: 000001B1397FAAB1
>, xrefs: 000001B1397FA7DC
z, xrefs: 000001B1397FAFB6
#, xrefs: 000001B1397F7D45

Memory Dump Source

Source File: 00000010.00000002.3009382813.000001B1397F7000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001B1397F7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1b1397f7000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction ID: 36b2bdb96f937de2e13bae83db39cce7bc5485414324a5b482f63d87a6de9172
Opcode Fuzzy Hash: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction Fuzzy Hash: 16A31831618A498BDB2DDF18CC956E973E6FB98710F54422ED84BD7291EF30E9068BC1

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 52.222.236.120 52.222.236.120

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1946395342.000001DF6D3B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1983198830.000001DF6EA29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973806183.000001DF6EA29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1949512195.000001DF6D4C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1943769021.000001DF6D0E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1944082499.000001DF6C2BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1949512195.000001DF6D4C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1943769021.000001DF6D0E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1944082499.000001DF6C2BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1983198830.000001DF6EA29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973806183.000001DF6EA29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1995363742.000001DF64F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1949512195.000001DF6D4C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1943769021.000001DF6D0E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1944082499.000001DF6C2BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1949512195.000001DF6D4C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1943769021.000001DF6D0E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1944082499.000001DF6C2BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3009910053.000001B13990A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3009910053.000001B13990A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1992575294.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000621093.000001DF65C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3009910053.000001B13990A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1983198830.000001DF6EA29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973806183.000001DF6EA29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1995363742.000001DF64F0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1961621558.000001DF6EABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1995059271.000001DF64F9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1977448686.000001DF64F9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.222.236.120:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49880 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_2d627b83-4d9d-43df-9aff-37184a419509.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_2d627b83-4d9d-43df-9aff-37184a419509.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre