Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1532849
MD5:	0e2e68ee546c58add51d948916b1ec65
SHA1:	15f4b7ac02f7806b323c7f41e76ceaec6eb6f28b
SHA256:	36272524d243d3051cc9adfb870c8170f527b5e048f8562ea1bb4b426572e0c5
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7084 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0E2E68EE546C58ADD51D948916B1EC65)

taskkill.exe (PID: 7132 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1704 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2996 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3732 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7164 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 4040 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6408 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2720 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6192 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8742fd4-1926-4b7d-b5cd-227d1ca53650} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" 235cde6f710 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7604 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2792 -parentBuildID 20230927232528 -prefsHandle 1392 -prefMapHandle 3364 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7db5ca4-9b73-4566-854b-98eaaea695b3} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" 235dfecbf10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6360 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5460 -prefMapHandle 5440 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {322df133-639f-4d6c-a4ae-c75d38c0f85a} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" 235e7749910 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7084	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_008BEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_008BEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008BED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_008BED6A

Source: C:\Users\user\Desktop\file.exe

0_2_008BEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008AAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_008AAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008D9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_008D9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d289c25d-6
Source: file.exe, 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e955c431-6
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1ddaeebf-c
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d2cbf3a4-4

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F9DF0568B7 NtQuerySystemInformation,		16_2_000001F9DF0568B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F9DF0737B2 NtQuerySystemInformation,		16_2_000001F9DF0737B2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008AD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_008AD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008A1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_008A1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008AE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_008AE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B2046	0_2_008B2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00848060	0_2_00848060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A8298	0_2_008A8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087E4FF	0_2_0087E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087676B	0_2_0087676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D4873	0_2_008D4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086CAA0	0_2_0086CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084CAF0	0_2_0084CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085CC39	0_2_0085CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00876DD9	0_2_00876DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008491C0	0_2_008491C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085B119	0_2_0085B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00861394	0_2_00861394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00861706	0_2_00861706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086781B	0_2_0086781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008619B0	0_2_008619B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00847920	0_2_00847920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085997D	0_2_0085997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00867A4A	0_2_00867A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00867CA7	0_2_00867CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00861C77	0_2_00861C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00879EEE	0_2_00879EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008CBE44	0_2_008CBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00861F32	0_2_00861F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F9DF0568B7	16_2_000001F9DF0568B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F9DF0737B2	16_2_000001F9DF0737B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F9DF073EDC	16_2_000001F9DF073EDC
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F9DF0737F2	16_2_000001F9DF0737F2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00860A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0085F9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/41@72/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008B37B5 GetLastError,FormatMessageW,

0_2_008B37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A10BF AdjustTokenPrivileges,CloseHandle,		0_2_008A10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008A16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008B51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008B51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008AD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_008AD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008B648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_008B648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008442A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2256:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1967555879.00000235E7762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954002577.00000235E7762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927297046.00000235E90A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928271599.00000235E77C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947910846.00000235E7762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1967555879.00000235E7762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954002577.00000235E7762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947910846.00000235E7762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1967555879.00000235E7762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954002577.00000235E7762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947910846.00000235E7762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1967555879.00000235E7762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954002577.00000235E7762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947910846.00000235E7762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1927488251.00000235E796D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942855075.00000235E90BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927297046.00000235E90AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.1967555879.00000235E7762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954002577.00000235E7762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947910846.00000235E7762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1967555879.00000235E7762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954002577.00000235E7762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947910846.00000235E7762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1967555879.00000235E7762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954002577.00000235E7762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947910846.00000235E7762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1967555879.00000235E7762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954002577.00000235E7762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947910846.00000235E7762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1967555879.00000235E7762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954002577.00000235E7762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947910846.00000235E7762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8742fd4-1926-4b7d-b5cd-227d1ca53650} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" 235cde6f710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2792 -parentBuildID 20230927232528 -prefsHandle 1392 -prefMapHandle 3364 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7db5ca4-9b73-4566-854b-98eaaea695b3} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" 235dfecbf10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5460 -prefMapHandle 5440 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {322df133-639f-4d6c-a4ae-c75d38c0f85a} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" 235e7749910 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8742fd4-1926-4b7d-b5cd-227d1ca53650} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" 235cde6f710 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2792 -parentBuildID 20230927232528 -prefsHandle 1392 -prefMapHandle 3364 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7db5ca4-9b73-4566-854b-98eaaea695b3} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" 235dfecbf10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5460 -prefMapHandle 5440 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {322df133-639f-4d6c-a4ae-c75d38c0f85a} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" 235e7749910 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.1886719203.00000235DD5D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1886719203.00000235DD5D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1886719203.00000235DD5D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1881157649.00000235E9303000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1886719203.00000235DD5D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1881157649.00000235E9303000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008442DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00860A76 push ecx; ret

0_2_00860A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0085F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_008D1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96013

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001F9DF0568B7 rdtsc

16_2_000001F9DF0568B7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_008ADBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B68EE FindFirstFileW,FindClose,	0_2_008B68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_008B698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008AD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008AD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008B9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008B979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_008B9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_008B5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008442DE

Source: firefox.exe, 0000000F.00000002.3620104787.000002035E600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
Source: firefox.exe, 00000011.00000002.3619038138.00000221A6B00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWr
Source: firefox.exe, 0000000F.00000002.3615654230.000002035E06A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3619036511.000001F9DF530000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3613373986.000001F9DEC0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3619529706.000002035E514000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.3620104787.000002035E600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW>
Source: firefox.exe, 00000011.00000002.3614213151.00000221A675A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: firefox.exe, 0000000F.00000002.3620104787.000002035E600000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3619036511.000001F9DF530000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001F9DF0568B7 rdtsc

16_2_000001F9DF0568B7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008BEAA2 BlockInput,

0_2_008BEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00872622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00872622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008442DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00864CE8 mov eax, dword ptr fs:[00000030h]

0_2_00864CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008A0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_008A0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00872622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00872622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0086083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008609D5 SetUnhandledExceptionFilter,	0_2_008609D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00860C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00860C21

Source: C:\Users\user\Desktop\file.exe

0_2_008A1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00882BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00882BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008AB226 SendInput,keybd_event,

0_2_008AB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008C22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_008C22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_008A0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008A1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_008A1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1876031396.00000235E9303000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00860698 cpuid

0_2_00860698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008B8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_008B8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0089D27A GetUserNameW,

0_2_0089D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0087BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0087BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008442DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7084, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7084, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_008C1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_008C1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	37%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.251.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.65	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	52.222.236.120	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.186.142	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.186.110	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.129.140	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.1955539748.00000235E16E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830027329.00000235E16E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3614918161.000001F9DEFC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3615877953.00000221A6AC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1978827925.00000235DF611000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1954346046.00000235E7722000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1985359250.00000235E772A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947910846.00000235E7721000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3616288753.000002035E3B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3614918161.000001F9DEFE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3619271099.00000221A6C03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1831994183.00000235DE336000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.3614918161.000001F9DEF86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3615877953.00000221A6A8F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.1972485268.00000235DF167000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1833840342.00000235DF867000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1974671078.00000235DED1A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1964817827.00000235DF6E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1977161382.00000235DAC55000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929811912.00000235E5B16000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1980057831.00000235DDD18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1797094943.00000235DD95A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797938032.00000235DD977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1795470295.00000235DD93C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1794843832.00000235DD700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1795257907.00000235DD91F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1978884270.00000235DE6E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1974671078.00000235DED1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1978884270.00000235DE68C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.1967555879.00000235E7762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954002577.00000235E7762000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947910846.00000235E7762000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1955539748.00000235E16E1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1929029792.00000235E5B8B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1797094943.00000235DD95A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797938032.00000235DD977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1795470295.00000235DD93C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1794843832.00000235DD700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1971505398.00000235DF3C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1966741203.00000235DF3C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1904283018.00000235DF5EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1795257907.00000235DD91F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1841349101.00000235E0228000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://profiler.firefox.com/	firefox.exe, 0000000D.00000003.1976687323.00000235DB271000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1987025045.00000235E5AD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1967917968.00000235E5AD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954763249.00000235E5AD1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1797094943.00000235DD95A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797938032.00000235DD977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1795470295.00000235DD93C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1794843832.00000235DD700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1795257907.00000235DD91F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1933238361.00000235E057B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.1972485268.00000235DF167000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3616288753.000002035E3B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3614918161.000001F9DEFE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3619271099.00000221A6C03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1947910846.00000235E774E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1934991810.00000235E04AA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1929029792.00000235E5B8B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3616288753.000002035E3B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3614918161.000001F9DEFE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3619271099.00000221A6C03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1934991810.00000235E04AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3614918161.000001F9DEF0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3615877953.00000221A6A0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1861834188.00000235DEB27000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000D.00000003.1993949214.00000235DEE7F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1974671078.00000235DED1A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1947910846.00000235E774E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.1955539748.00000235E16E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830027329.00000235E16E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3614918161.000001F9DEFC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3615877953.00000221A6AC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1963619141.00000235E5AAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1951243720.00000235DF511000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1928371876.00000235E61E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1964398432.00000235DFA49000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1974671078.00000235DED1A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1954399396.00000235E64F8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1929029792.00000235E5B8B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1964817827.00000235DF6E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830027329.00000235E16E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3614918161.000001F9DEF12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3615877953.00000221A6A13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1974671078.00000235DED1A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.13.dr	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.1928371876.00000235E611D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1955539748.00000235E16E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1929623085.00000235E5B40000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 0000000D.00000003.1976485107.00000235DB2F4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1953168757.00000235DF50D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1952227776.00000235DF59D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1980167151.00000235DD28D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1951243720.00000235DF506000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901291713.00000235DF47A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2004979712.00000235DD93B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1955591879.00000235E1630000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1989046872.00000235E0709000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1951099731.00000235E0245000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931472521.00000235E114A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929971100.00000235E16D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890381348.00000235DF48F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1959277745.00000235DDEFC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1951243720.00000235DF511000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1904719157.00000235DEBB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899842873.00000235DF08B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891585269.00000235E1449000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1975670307.00000235DDFCC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1806394980.00000235DDEDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1916167541.00000235DEBC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907719053.00000235DEBB4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1987025045.00000235E5AD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1967917968.00000235E5AD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954763249.00000235E5AD1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1987025045.00000235E5AD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1967917968.00000235E5AD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954763249.00000235E5AD1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1929029792.00000235E5B8B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1929029792.00000235E5B8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947815212.00000235E77B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1929029792.00000235E5B8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947815212.00000235E77B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1929623085.00000235E5B40000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1831994183.00000235DE336000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000D.00000003.1929029792.00000235E5B82000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1833840342.00000235DF867000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1929029792.00000235E5B8B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1801085730.00000235DD11E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1800496633.00000235DD133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1801375263.00000235DD133000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1934729494.00000235E04C3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1932175646.00000235E07B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1988941344.00000235E07BA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1861834188.00000235DEB27000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1801085730.00000235DD11E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1800496633.00000235DD133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1801375263.00000235DD133000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1947910846.00000235E774E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3616288753.000002035E3B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3614918161.000001F9DEFE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3619271099.00000221A6C03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1978884270.00000235DE669000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1974358095.00000235DED75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1833840342.00000235DF867000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1974671078.00000235DED1A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1928271599.00000235E77C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927488251.00000235E796D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1985250599.00000235E7991000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.3615919411.000002035E170000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3617874398.000001F9DF000000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3615278125.00000221A6900000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.250.186.142	youtube.com	United States	15169	GOOGLEUS	false
52.222.236.120	services.addons.mozilla.org	United States	16509	AMAZON-02US	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532849
Start date and time:	2024-10-14 01:07:23 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/41@72/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 93% Number of executed functions: 40 Number of non-executed functions: 310
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.25.49.43, 35.83.8.120, 52.26.161.5, 172.217.18.10, 142.250.186.42, 172.217.16.206, 2.22.61.56, 2.22.61.59, 172.217.23.110
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 2720 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	oUbgeGwOL8.exe	Get hash	malicious	LummaC, Amadey, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
52.222.236.120	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.149.100.209	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
34.160.144.191	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	oUbgeGwOL8.exe	Get hash	malicious	LummaC, Amadey, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	oUbgeGwOL8.exe	Get hash	malicious	LummaC, Amadey, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
services.addons.mozilla.org	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	oUbgeGwOL8.exe	Get hash	malicious	LummaC, Amadey, Stealc	Browse	52.222.236.23
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	file.exe	Get hash	malicious	Credential Flusher	Browse	108.156.60.43
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
star-mini.c10r.facebook.com	http://painel.simpatiafm.com.br/	Get hash	malicious	Unknown	Browse	157.240.0.35
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	157.240.0.35
	https://currenntlyattyah06.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	157.240.253.35
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	157.240.251.35
	https://currenntlyattyah06.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	157.240.251.35
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	http://ernestlerma.com/	Get hash	malicious	Unknown	Browse	157.240.253.35
	http://mngop.com/	Get hash	malicious	Unknown	Browse	157.240.252.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.117.223.223
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.117.223.223
	http://bancolombia-personas-co.glitch.me/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://bancolombia-seguridad-co.glitch.me/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://telegiraum.club/	Get hash	malicious	Telegram Phisher	Browse	34.117.59.81
	SecuriteInfo.com.Trojan.PWS.Stealer.39881.18601.16388.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://bancolombia-seguridad-co.glitch.me/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://telegiraum.club/	Get hash	malicious	Telegram Phisher	Browse	34.117.59.81
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.117.77.79
ATGS-MMD-ASUS	https://john17237.wixsite.com/my-site	Get hash	malicious	HTMLPhisher	Browse	34.149.206.255
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.49.241.189
	https://currenntlyattyah06.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.170.150.109
	https://currenntlyattyah06.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.160.46.1
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.49.241.189
	https://currenntlyattyah06.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.160.46.1
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	48.148.228.44
AMAZON-02US	https://60ms64xz.r.eu-west-1.awstrack.me/L0/https:%2F%2Fnym1-ib.adnxs.com%2Fclick2%3Fe=wqT_3QKhAfCBoQAAAAMAxBkFAQj1xf22BhCN5rHDq8rIsXYY6OvVqs3R1c9aIPXtswsoykEwhx04AkDV-qXwAUiY1VJQAFoDVVNEYgNVU0RorAJw-gF4kfdrgAG5zAOIAQGQAQGYAQWgAQKpAVM7_DVZo44_sQHWE0zrJXyFP7kBAAAAwMzM7D_BAREUDMkBUDsJKDDYAQDgAQDwAdEO-AEA%2Fs=555aa6e5683ce51c048a98b83e6a923b5a8d9a2c%2Fbcr=AAAAAAAA8D8=%2Fcnd=%25218hVjbgiv18IdENX6pfABGJjVUiAAKAAxmpmZmZmZuT86CU5ZTTI6NTI1NECoR0kAAAAAAADwP1EAAAAAAAAAAFkAAAAAAAAAAGEAAAAAAAAAAGkAAAAAAAAAAHEAAAAAAAAAAHgAiQEAAAAAAADwPw..%2Fcca=MzcxOSNOWU0yOjUyNTQ=%2Fbn=58937%2Fclickenc=http%253A%252F%252Faa.ns.agingbydesignministry.org%3FMlcinsurance=grant.harpur@mlcinsurance.com.au/1/0102019284444055-c8ec5399-450a-413f-acab-546e07ef32e7-000000/Qxx4uNY6H1RoEfFUkvzFba2SPik=395	Get hash	malicious	HTMLPhisher	Browse	52.210.33.116
	https://60ms64xz.r.eu-west-1.awstrack.me/L0/https:%2F%2Fnym1-ib.adnxs.com%2Fclick2%3Fe=wqT_3QKhAfCBoQAAAAMAxBkFAQj1xf22BhCN5rHDq8rIsXYY6OvVqs3R1c9aIPXtswsoykEwhx04AkDV-qXwAUiY1VJQAFoDVVNEYgNVU0RorAJw-gF4kfdrgAG5zAOIAQGQAQGYAQWgAQKpAVM7_DVZo44_sQHWE0zrJXyFP7kBAAAAwMzM7D_BAREUDMkBUDsJKDDYAQDgAQDwAdEO-AEA%2Fs=555aa6e5683ce51c048a98b83e6a923b5a8d9a2c%2Fbcr=AAAAAAAA8D8=%2Fcnd=%25218hVjbgiv18IdENX6pfABGJjVUiAAKAAxmpmZmZmZuT86CU5ZTTI6NTI1NECoR0kAAAAAAADwP1EAAAAAAAAAAFkAAAAAAAAAAGEAAAAAAAAAAGkAAAAAAAAAAHEAAAAAAAAAAHgAiQEAAAAAAADwPw..%2Fcca=MzcxOSNOWU0yOjUyNTQ=%2Fbn=58937%2Fclickenc=http%253A%252F%252Faa.ns.agingbydesignministry.org%3FMlcinsurance=grant.harpur@mlcinsurance.com.au/1/0102019284444055-c8ec5399-450a-413f-acab-546e07ef32e7-000000/Qxx4uNY6H1RoEfFUkvzFba2SPik=395	Get hash	malicious	Unknown	Browse	52.210.33.116
	https://payrollruntimesheet.weebly.com/verify.html	Get hash	malicious	HTMLPhisher	Browse	50.112.173.192
	https://john17237.wixsite.com/my-site	Get hash	malicious	HTMLPhisher	Browse	108.156.60.94
	http://chwcs91azo1jf8f6b6acu6sf7da7lxazxwg6fo8epa.sbxaccountants.com.au/	Get hash	malicious	Captcha Phish	Browse	18.245.78.122
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	52.36.31.154
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	108.138.2.33
	https://fexegreuyauja-8124.vercel.app/mixc.html	Get hash	malicious	HTMLPhisher	Browse	76.76.21.22
	https://verfiy-blue-badge-sign-up.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	76.76.21.98
ATGS-MMD-ASUS	https://john17237.wixsite.com/my-site	Get hash	malicious	HTMLPhisher	Browse	34.149.206.255
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.49.241.189
	https://currenntlyattyah06.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.170.150.109
	https://currenntlyattyah06.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.160.46.1
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.49.241.189
	https://currenntlyattyah06.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.160.46.1
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	48.148.228.44

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	oUbgeGwOL8.exe	Get hash	malicious	LummaC, Amadey, Stealc	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_7a006e65-81c7-44e6-bca9-904f9547e6f3.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.180738765061967
Encrypted:	false
SSDEEP:	192:djMXxtmcbhbVbTbfbRbObtbyEl7norFJA6WnSrDtTUd/SkDr+:dY6cNhnzFSJIrABnSrDhUd/Y
MD5:	24F29A436148C999B6429BD3487082FF
SHA1:	8DA186954EAC759FF00896A552265683AFB429EB
SHA-256:	CD7230C9F205BAF46830C1E4153E3E1E0BFEF1C1E6CC38E707D13EAB3BA341F8
SHA-512:	C75DFA4D25D04D35B6135A7510C896A8437548EA194022AAF99E65D4A53D6726C7CAE97550104930D445AFA28532B39650A6FB175F24BE4B1A88513C960CA81F
Malicious:	false
Preview:	{"type":"uninstall","id":"7a006e65-81c7-44e6-bca9-904f9547e6f3","creationDate":"2024-10-14T00:23:05.744Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_7a006e65-81c7-44e6-bca9-904f9547e6f3.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.180738765061967
Encrypted:	false
SSDEEP:	192:djMXxtmcbhbVbTbfbRbObtbyEl7norFJA6WnSrDtTUd/SkDr+:dY6cNhnzFSJIrABnSrDhUd/Y
MD5:	24F29A436148C999B6429BD3487082FF
SHA1:	8DA186954EAC759FF00896A552265683AFB429EB
SHA-256:	CD7230C9F205BAF46830C1E4153E3E1E0BFEF1C1E6CC38E707D13EAB3BA341F8
SHA-512:	C75DFA4D25D04D35B6135A7510C896A8437548EA194022AAF99E65D4A53D6726C7CAE97550104930D445AFA28532B39650A6FB175F24BE4B1A88513C960CA81F
Malicious:	false
Preview:	{"type":"uninstall","id":"7a006e65-81c7-44e6-bca9-904f9547e6f3","creationDate":"2024-10-14T00:23:05.744Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	dropped
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.315689513550403
Encrypted:	false
SSDEEP:	24:XdffMuxAl9TIUx2dWoM15JLN8zmGdffMuxAl9swM+bpoqdWoM15JLFX1Rgmsdff4:XdilaUgdwqzpdilq6BdwWHdilKadwE1
MD5:	A408DB8144013C25986BED6B3C3C9306
SHA1:	DD614BA87DFD8686FAEB43DFECCF5BCED5D3869B
SHA-256:	963E053C13FB44E025C147A1E3E5E01F5B4C28D7A7B56ED3813DAD1B7E798931
SHA-512:	82C726D858E30CAEFD7CFEC023CC50BD630A71C9F055697FC2FEB50CD1848737875B1E3A91184BAC6FBF89E48733B26AED9D51D3267990E5F5B5C23774E61BB6
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........^-.............S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IMY......B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WMY..............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WMY................................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............t.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.315689513550403
Encrypted:	false
SSDEEP:	24:XdffMuxAl9TIUx2dWoM15JLN8zmGdffMuxAl9swM+bpoqdWoM15JLFX1Rgmsdff4:XdilaUgdwqzpdilq6BdwWHdilKadwE1
MD5:	A408DB8144013C25986BED6B3C3C9306
SHA1:	DD614BA87DFD8686FAEB43DFECCF5BCED5D3869B
SHA-256:	963E053C13FB44E025C147A1E3E5E01F5B4C28D7A7B56ED3813DAD1B7E798931
SHA-512:	82C726D858E30CAEFD7CFEC023CC50BD630A71C9F055697FC2FEB50CD1848737875B1E3A91184BAC6FBF89E48733B26AED9D51D3267990E5F5B5C23774E61BB6
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........^-.............S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IMY......B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WMY..............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WMY................................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............t.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C94QBWI5PPYC4QEB1D1D.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.315689513550403
Encrypted:	false
SSDEEP:	24:XdffMuxAl9TIUx2dWoM15JLN8zmGdffMuxAl9swM+bpoqdWoM15JLFX1Rgmsdff4:XdilaUgdwqzpdilq6BdwWHdilKadwE1
MD5:	A408DB8144013C25986BED6B3C3C9306
SHA1:	DD614BA87DFD8686FAEB43DFECCF5BCED5D3869B
SHA-256:	963E053C13FB44E025C147A1E3E5E01F5B4C28D7A7B56ED3813DAD1B7E798931
SHA-512:	82C726D858E30CAEFD7CFEC023CC50BD630A71C9F055697FC2FEB50CD1848737875B1E3A91184BAC6FBF89E48733B26AED9D51D3267990E5F5B5C23774E61BB6
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........^-.............S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IMY......B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WMY..............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WMY................................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............t.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z07K3J0Q26EHY2CW379H.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.315689513550403
Encrypted:	false
SSDEEP:	24:XdffMuxAl9TIUx2dWoM15JLN8zmGdffMuxAl9swM+bpoqdWoM15JLFX1Rgmsdff4:XdilaUgdwqzpdilq6BdwWHdilKadwE1
MD5:	A408DB8144013C25986BED6B3C3C9306
SHA1:	DD614BA87DFD8686FAEB43DFECCF5BCED5D3869B
SHA-256:	963E053C13FB44E025C147A1E3E5E01F5B4C28D7A7B56ED3813DAD1B7E798931
SHA-512:	82C726D858E30CAEFD7CFEC023CC50BD630A71C9F055697FC2FEB50CD1848737875B1E3A91184BAC6FBF89E48733B26AED9D51D3267990E5F5B5C23774E61BB6
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........^-.............S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IMY......B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WMY..............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WMY................................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............t.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.924869830168049
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLwQ/8P:8S+OBIUjOdwiOdYVjjwL9/8P
MD5:	E6F8A3A7EF81EDCB4ACD42B3C1E13C00
SHA1:	3E5ABCC2F261A5B952622C70E17ACFE07493090F
SHA-256:	9FBBC63DABE095713A1AB8182419F27B83161E5E7F183C0B56E9AA2F141B4710
SHA-512:	3F48B3507C04CA7210725370A63FF282506353C50469938524C5F6DAE2E11539AF9ECF9C95F9871CBB215DC72BDE1917372DAA0FB5A003D3692F8586E1B89082
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.924869830168049
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLwQ/8P:8S+OBIUjOdwiOdYVjjwL9/8P
MD5:	E6F8A3A7EF81EDCB4ACD42B3C1E13C00
SHA1:	3E5ABCC2F261A5B952622C70E17ACFE07493090F
SHA-256:	9FBBC63DABE095713A1AB8182419F27B83161E5E7F183C0B56E9AA2F141B4710
SHA-512:	3F48B3507C04CA7210725370A63FF282506353C50469938524C5F6DAE2E11539AF9ECF9C95F9871CBB215DC72BDE1917372DAA0FB5A003D3692F8586E1B89082
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: c5yDnHUmFv.exe, Detection: malicious, Browse Filename: c5yDnHUmFv.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: c5yDnHUmFv.exe, Detection: malicious, Browse Filename: c5yDnHUmFv.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07327543062535088
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkijW:DLhesh7Owd4+jijW
MD5:	4EDA6F2F329D233E2706AA1B57929845
SHA1:	2872148437E053E1218AA888BA8D0F471FAF90EE
SHA-256:	7D1A7D9227F6F5B517A0479501AE2FF70106B7E6554550D530373A30BC4C6D0A
SHA-512:	86C1A8D9DBCD810EF5BC96F8DF9F2E7EE9A5775C8463124181E3FF48CACD126C860A8D51C7927909430EDAF78D628EF19B6483EA37C4D80A2CA1933E3749F8DB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039667308764353294
Encrypted:	false
SSDEEP:	3:GHlhVtGf2t20vGHlhVtGf2t20vAl8a9//Ylll4llqlyllel4lt:G7Vcf2vu7Vcf2vIL9XIwlio
MD5:	FFF7139674F8A057722C48337334F251
SHA1:	ACCB91259218C17378D77B87562FA3EC559D7BFE
SHA-256:	697D1BFB2150A393940B7815AD01D766320BC4E33239AC6DD215B5A3145F4958
SHA-512:	A1C609D18E6390F6013107B391A99B6137204BB5D1F6F07C53B80DF25C18415EC1DFA002B83C8F775E7B679EECE25032D477D7568EF64A8F65379D8A37ABE26C
Malicious:	false
Preview:	..-......................(...yo...a.Z...m.K"o.>J..-......................(...yo...a.Z...m.K"o.>J........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.11791582948886634
Encrypted:	false
SSDEEP:	24:KqejRfkcLxsZ+RhjxsMltTAUCF2QWUCZ7CCQE/TKCbCMxsaxZwlT3XVZ2i7+:7wMIQWvJtUnWdU+RVxivZk
MD5:	758AEB9176F31502EC4D98BE453EF26C
SHA1:	EB266B6B461948371754BEA1970A810A0C325AF3
SHA-256:	4DBF8848F78BDA9157104BD642C1895851390633CD6E3A85118B36C8906C43ED
SHA-512:	5454E5460DCBBC80F44BC33CB7F49F7401DD9235DC50B98473DC8028FF5B3BCC1F20C0D11ACF117FE7D833E06B045472A2A22F0FA7B4EAE60FE93C602D4FB11B
Malicious:	false
Preview:	7....-............a.Z....(.)N.g(..........a.Z........-{................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495920865992948
Encrypted:	false
SSDEEP:	192:inaRtLYbBp6nhj4qyaaXu6KHbJNNi5RfGNBw8dGSl:netqGEX0cwh0
MD5:	0D6BE4837DF0867C583AA9771DA8F688
SHA1:	38CE97008CF9B3C16DA2D5C5AB4F8F45442BEC97
SHA-256:	C284B8D628FD6C84B639B13A8284B35B2A30B4AD9C5BC11D4B1C535191451808
SHA-512:	78C17205825C978420EA9B1462532973C5B71059FAD115B4803322A2FB8DA3FA401A6777752009CBC123AA9145CE139F364BE191CA3A32A0C62C450E3690EC54
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728865356);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728865356);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728865356);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172886

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495920865992948
Encrypted:	false
SSDEEP:	192:inaRtLYbBp6nhj4qyaaXu6KHbJNNi5RfGNBw8dGSl:netqGEX0cwh0
MD5:	0D6BE4837DF0867C583AA9771DA8F688
SHA1:	38CE97008CF9B3C16DA2D5C5AB4F8F45442BEC97
SHA-256:	C284B8D628FD6C84B639B13A8284B35B2A30B4AD9C5BC11D4B1C535191451808
SHA-512:	78C17205825C978420EA9B1462532973C5B71059FAD115B4803322A2FB8DA3FA401A6777752009CBC123AA9145CE139F364BE191CA3A32A0C62C450E3690EC54
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728865356);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728865356);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728865356);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172886

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\c4ec3330-c283-4504-88ff-1de7fbd43850 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.955414240441965
Encrypted:	false
SSDEEP:	12:YZFgmdDYIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YiSlCOlZGV1AQIWZcy6Z2d
MD5:	9F96EA962AC69B734BFA618CF0D4080C
SHA1:	60B28612F057FA973307CBFC48D04E377A8987D4
SHA-256:	0B0DAC8588FA0C8E3FDDE4C99A37A37C8DCCEF9177763CFD46D24E063126DFB8
SHA-512:	FE6EE757AF4B7661D4756F72BBC03686BE3C49385676413DA743E96D88320C2CA6DEB69A8C1CFF65D4A0212C213A5EB6751925F5A608AED2582C40B70CBE3BD7
Malicious:	false
Preview:	{"type":"health","id":"c4ec3330-c283-4504-88ff-1de7fbd43850","creationDate":"2024-10-14T00:23:06.233Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\c4ec3330-c283-4504-88ff-1de7fbd43850.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	modified
Size (bytes):	493
Entropy (8bit):	4.955414240441965
Encrypted:	false
SSDEEP:	12:YZFgmdDYIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YiSlCOlZGV1AQIWZcy6Z2d
MD5:	9F96EA962AC69B734BFA618CF0D4080C
SHA1:	60B28612F057FA973307CBFC48D04E377A8987D4
SHA-256:	0B0DAC8588FA0C8E3FDDE4C99A37A37C8DCCEF9177763CFD46D24E063126DFB8
SHA-512:	FE6EE757AF4B7661D4756F72BBC03686BE3C49385676413DA743E96D88320C2CA6DEB69A8C1CFF65D4A0212C213A5EB6751925F5A608AED2582C40B70CBE3BD7
Malicious:	false
Preview:	{"type":"health","id":"c4ec3330-c283-4504-88ff-1de7fbd43850","creationDate":"2024-10-14T00:23:06.233Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	6.358188802129483
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSIkJPLXnIg5/pnxQwRlszT5sKt043eHVQj6TNamhuwJJlOsIomNVrd:GUpOx+JPrnR673eHTNLJlIp44
MD5:	98568EB17F4BE6830324955599BD66D2
SHA1:	57285C47906D0370AF8E81AFB00F6B29BF50D4E9
SHA-256:	2AAD6406F24E0FE28C6854E227A189482E0AC12DB7BD69716B1CDAD22C9BF161
SHA-512:	B6A23A3455DECD1868DFD8A1983595B02F09BD86959B8DBFE9B46A5441359767116AC85496F64B8925EB93F046979D2F2FF9CEC12D9A33DFBDB780EF9298EFEC
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{5cc08241-7914-4e0c-ab6a-20db8ce83252}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728865360983,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P25706...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...32332,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	6.358188802129483
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSIkJPLXnIg5/pnxQwRlszT5sKt043eHVQj6TNamhuwJJlOsIomNVrd:GUpOx+JPrnR673eHTNLJlIp44
MD5:	98568EB17F4BE6830324955599BD66D2
SHA1:	57285C47906D0370AF8E81AFB00F6B29BF50D4E9
SHA-256:	2AAD6406F24E0FE28C6854E227A189482E0AC12DB7BD69716B1CDAD22C9BF161
SHA-512:	B6A23A3455DECD1868DFD8A1983595B02F09BD86959B8DBFE9B46A5441359767116AC85496F64B8925EB93F046979D2F2FF9CEC12D9A33DFBDB780EF9298EFEC
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{5cc08241-7914-4e0c-ab6a-20db8ce83252}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728865360983,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P25706...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...32332,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	6.358188802129483
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSIkJPLXnIg5/pnxQwRlszT5sKt043eHVQj6TNamhuwJJlOsIomNVrd:GUpOx+JPrnR673eHTNLJlIp44
MD5:	98568EB17F4BE6830324955599BD66D2
SHA1:	57285C47906D0370AF8E81AFB00F6B29BF50D4E9
SHA-256:	2AAD6406F24E0FE28C6854E227A189482E0AC12DB7BD69716B1CDAD22C9BF161
SHA-512:	B6A23A3455DECD1868DFD8A1983595B02F09BD86959B8DBFE9B46A5441359767116AC85496F64B8925EB93F046979D2F2FF9CEC12D9A33DFBDB780EF9298EFEC
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{5cc08241-7914-4e0c-ab6a-20db8ce83252}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1728865360983,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P25706...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...32332,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.032680910601752
Encrypted:	false
SSDEEP:	48:YrSAYt6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:yctyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	D9536AA39560A608AD6E791C97C6A9CE
SHA1:	42023911B0A101DAD216313385BB26E680679D5E
SHA-256:	FD207559D590E7DB6DE95061E830B15692119578B75DF7F7873B267E77338145
SHA-512:	01398A1669953ED901E8C0C4456D5879029383BDFB1F0E891B5D60C5B42456E39705F9B84BD64DD3D4E085860912FDA5C488AC7D951E39087524DFD0D2DE850E
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-14T00:22:14.812Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.032680910601752
Encrypted:	false
SSDEEP:	48:YrSAYt6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:yctyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	D9536AA39560A608AD6E791C97C6A9CE
SHA1:	42023911B0A101DAD216313385BB26E680679D5E
SHA-256:	FD207559D590E7DB6DE95061E830B15692119578B75DF7F7873B267E77338145
SHA-512:	01398A1669953ED901E8C0C4456D5879029383BDFB1F0E891B5D60C5B42456E39705F9B84BD64DD3D4E085860912FDA5C488AC7D951E39087524DFD0D2DE850E
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-14T00:22:14.812Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584689882024764
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	0e2e68ee546c58add51d948916b1ec65
SHA1:	15f4b7ac02f7806b323c7f41e76ceaec6eb6f28b
SHA256:	36272524d243d3051cc9adfb870c8170f527b5e048f8562ea1bb4b426572e0c5
SHA512:	551568207957dd4b55b228bfc1d3c71267d9c4964524d40689e38a8c30cefdeb443ab56e1dc91545b15a77d0cd1da124d460d987165a678b93ab3826c819cdaa
SSDEEP:	12288:VqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/T/:VqDEvCTbMWu7rQYlBQcBiT6rprG8ab/
TLSH:	1E159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x670C4DE9 [Sun Oct 13 22:47:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F6EAD9B53F3h
jmp 00007F6EAD9B4CFFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F6EAD9B4EDDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F6EAD9B4EAAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F6EAD9B7A9Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F6EAD9B7AE8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F6EAD9B7AD1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	a65c523417c94ab6e1c868a40e776f8c	False	0.31561511075949367	data	5.373772425782651	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 01:08:29.381629944 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 01:08:29.381675005 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 14, 2024 01:08:29.384072065 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 01:08:29.389621019 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 01:08:29.389640093 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 14, 2024 01:08:29.892347097 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 14, 2024 01:08:29.896682978 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 01:08:29.910991907 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 01:08:29.911015034 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 14, 2024 01:08:29.911118031 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 01:08:29.911700010 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 14, 2024 01:08:29.918405056 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 01:08:31.418381929 CEST	49738	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:31.418421030 CEST	443	49738	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:31.418498993 CEST	49738	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:31.419770956 CEST	49738	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:31.419789076 CEST	443	49738	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:31.566914082 CEST	49739	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:31.567003012 CEST	443	49739	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:31.577512980 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:31.578689098 CEST	49739	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:31.582850933 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:31.583296061 CEST	49739	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:31.583323956 CEST	443	49739	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:31.594449997 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:31.605079889 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:31.610276937 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:32.006668091 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:32.006726980 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:32.006875038 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:32.008106947 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:32.008143902 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:32.011878967 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:32.011964083 CEST	443	49742	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:32.015095949 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:32.015194893 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:32.015228987 CEST	443	49742	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:32.020340919 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:32.020380020 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:32.021473885 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:32.022667885 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:32.022689104 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:32.057884932 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:32.070631981 CEST	443	49738	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:32.071238995 CEST	443	49738	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:32.079410076 CEST	443	49738	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:32.080357075 CEST	49738	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:32.085772991 CEST	49738	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:32.085798979 CEST	443	49738	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:32.085850000 CEST	49738	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:32.086054087 CEST	443	49738	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:32.086127996 CEST	49738	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:32.111468077 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:32.133537054 CEST	49744	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:32.138629913 CEST	80	49744	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:32.140469074 CEST	49744	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:32.140469074 CEST	49744	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:32.145452023 CEST	80	49744	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:32.250660896 CEST	443	49739	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:32.250694990 CEST	443	49739	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:32.250756025 CEST	49739	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:32.254343033 CEST	443	49739	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:32.254403114 CEST	49739	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:32.254431963 CEST	443	49739	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:32.258385897 CEST	49739	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:32.258418083 CEST	443	49739	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:32.258536100 CEST	49739	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:32.258652925 CEST	443	49739	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:32.258711100 CEST	49739	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:32.258935928 CEST	49745	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:32.259017944 CEST	443	49745	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:32.259107113 CEST	49745	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:32.260406017 CEST	49745	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:32.260454893 CEST	443	49745	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:32.289592981 CEST	49746	443	192.168.2.4	34.160.144.191
Oct 14, 2024 01:08:32.289633036 CEST	443	49746	34.160.144.191	192.168.2.4
Oct 14, 2024 01:08:32.290209055 CEST	49746	443	192.168.2.4	34.160.144.191
Oct 14, 2024 01:08:32.290376902 CEST	49746	443	192.168.2.4	34.160.144.191
Oct 14, 2024 01:08:32.290395975 CEST	443	49746	34.160.144.191	192.168.2.4
Oct 14, 2024 01:08:32.495335102 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:32.495410919 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:32.499759912 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:32.499777079 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:32.499872923 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:32.500036955 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:32.500370026 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:32.500454903 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:32.501348972 CEST	443	49742	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:32.502226114 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:32.502387047 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:32.502387047 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:32.505281925 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:32.505335093 CEST	443	49742	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:32.505764008 CEST	443	49742	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:32.506736040 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:32.506814957 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:32.509073973 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:32.509073973 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:32.509422064 CEST	443	49742	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:32.509594917 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:32.527456045 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:32.532885075 CEST	80	49740	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:32.532989979 CEST	49740	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:32.533003092 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:32.533142090 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:32.537024021 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:32.537036896 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:32.537132025 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:32.537394047 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:32.537458897 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:32.537699938 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:32.537782907 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:32.537910938 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:32.539258003 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:32.539302111 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:32.600313902 CEST	80	49744	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:32.600559950 CEST	49744	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:32.605953932 CEST	80	49744	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:32.609231949 CEST	49744	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:32.662729025 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:32.667762995 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:32.667864084 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:32.667977095 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:32.672769070 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:32.792473078 CEST	443	49746	34.160.144.191	192.168.2.4
Oct 14, 2024 01:08:32.792542934 CEST	49746	443	192.168.2.4	34.160.144.191
Oct 14, 2024 01:08:32.795330048 CEST	49746	443	192.168.2.4	34.160.144.191
Oct 14, 2024 01:08:32.795342922 CEST	443	49746	34.160.144.191	192.168.2.4
Oct 14, 2024 01:08:32.795743942 CEST	443	49746	34.160.144.191	192.168.2.4
Oct 14, 2024 01:08:32.798069954 CEST	49746	443	192.168.2.4	34.160.144.191
Oct 14, 2024 01:08:32.798171043 CEST	49746	443	192.168.2.4	34.160.144.191
Oct 14, 2024 01:08:32.798259020 CEST	443	49746	34.160.144.191	192.168.2.4
Oct 14, 2024 01:08:32.798552036 CEST	49746	443	192.168.2.4	34.160.144.191
Oct 14, 2024 01:08:32.798660040 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 01:08:32.798743963 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 14, 2024 01:08:32.799041986 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 01:08:32.799041986 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 01:08:32.799174070 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 14, 2024 01:08:32.906593084 CEST	443	49745	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:32.906682968 CEST	49745	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:32.907181025 CEST	443	49745	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:32.907506943 CEST	49745	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:32.911147118 CEST	49745	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:32.911174059 CEST	443	49745	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:32.911237001 CEST	49745	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:32.911493063 CEST	443	49745	142.250.186.142	192.168.2.4
Oct 14, 2024 01:08:32.911551952 CEST	49745	443	192.168.2.4	142.250.186.142
Oct 14, 2024 01:08:33.016994953 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:33.017205954 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:33.017782927 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:33.017870903 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:33.023483038 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:33.023483992 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:33.023541927 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:33.023905993 CEST	443	49747	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:33.024187088 CEST	49747	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:33.025151014 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:33.025228977 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:33.025280952 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:33.025506973 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:33.025696993 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:33.063945055 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:33.064024925 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:33.067282915 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:33.068766117 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:33.068803072 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:33.118954897 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:33.167634010 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:33.304059982 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 14, 2024 01:08:33.304743052 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 01:08:33.311135054 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 01:08:33.311187983 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 14, 2024 01:08:33.311676979 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 14, 2024 01:08:33.344284058 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 01:08:33.344284058 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 01:08:33.344768047 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 14, 2024 01:08:33.347130060 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 01:08:33.523241997 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:33.528376102 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:33.550307989 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:33.562784910 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:33.563503027 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:33.565324068 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:33.567790985 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:33.568932056 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:33.569538116 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:33.570048094 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:33.570070982 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:33.570131063 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:33.570396900 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:33.570429087 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:33.570760965 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:33.574421883 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:33.579292059 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:33.579305887 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:33.580729961 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:33.580753088 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:33.619868994 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:33.669629097 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:33.941756010 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:33.949127913 CEST	80	49753	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:33.950262070 CEST	49753	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:34.068139076 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:34.068156958 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:34.073034048 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:34.076546907 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:34.076548100 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:34.076575994 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:34.077349901 CEST	443	49754	34.117.188.166	192.168.2.4
Oct 14, 2024 01:08:34.078146935 CEST	49754	443	192.168.2.4	34.117.188.166
Oct 14, 2024 01:08:34.215733051 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:34.220818996 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:34.225353956 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:34.225539923 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:34.230360031 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:34.536257029 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:34.541337967 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:34.632611990 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:34.646421909 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:34.651840925 CEST	80	49756	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:34.655174971 CEST	49756	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:34.655760050 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:34.660861015 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:34.661493063 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:34.661493063 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:34.666512012 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:34.679828882 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:34.715349913 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:34.715452909 CEST	443	49759	34.107.243.93	192.168.2.4
Oct 14, 2024 01:08:34.717355013 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:34.718832970 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:34.718926907 CEST	443	49759	34.107.243.93	192.168.2.4
Oct 14, 2024 01:08:34.912805080 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:34.912842035 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:34.913273096 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:34.914397955 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:34.914412975 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:34.915627003 CEST	49761	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:34.915712118 CEST	443	49761	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:34.916476965 CEST	49761	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:34.916580915 CEST	49761	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:34.916603088 CEST	443	49761	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:34.926309109 CEST	49762	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:34.926322937 CEST	443	49762	34.149.100.209	192.168.2.4
Oct 14, 2024 01:08:34.926804066 CEST	49762	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:34.930634975 CEST	49762	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:34.930646896 CEST	443	49762	34.149.100.209	192.168.2.4
Oct 14, 2024 01:08:35.157603979 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:35.212594986 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:35.212776899 CEST	443	49759	34.107.243.93	192.168.2.4
Oct 14, 2024 01:08:35.226953983 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:35.230941057 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:35.230942011 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:35.231053114 CEST	443	49759	34.107.243.93	192.168.2.4
Oct 14, 2024 01:08:35.231734037 CEST	443	49759	34.107.243.93	192.168.2.4
Oct 14, 2024 01:08:35.236790895 CEST	49759	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:35.262667894 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:35.267613888 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:35.360006094 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:35.363316059 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:35.368314981 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:35.390342951 CEST	443	49761	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:35.390419960 CEST	49761	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:35.405416965 CEST	49761	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:35.405458927 CEST	443	49761	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:35.406063080 CEST	443	49761	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:35.407980919 CEST	49761	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:35.408071995 CEST	49761	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:35.408371925 CEST	443	49761	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:35.408513069 CEST	49761	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:35.412646055 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:35.413139105 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:35.413180113 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:35.417017937 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:35.417017937 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:35.417032957 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:35.417273045 CEST	443	49760	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:35.417344093 CEST	49760	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:35.422852039 CEST	443	49762	34.149.100.209	192.168.2.4
Oct 14, 2024 01:08:35.422909021 CEST	49762	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:35.465039015 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:35.482436895 CEST	49762	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:35.482438087 CEST	49762	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:35.482461929 CEST	443	49762	34.149.100.209	192.168.2.4
Oct 14, 2024 01:08:35.483052969 CEST	443	49762	34.149.100.209	192.168.2.4
Oct 14, 2024 01:08:35.483139992 CEST	49762	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:35.513464928 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:36.823978901 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:36.829298019 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:36.919945955 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:36.967967987 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:37.038789034 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:37.038825035 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:37.041363955 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:37.042632103 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:37.042648077 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:37.044682980 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:37.049791098 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:37.147315979 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:37.199702024 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:37.530945063 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:37.531148911 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:37.535346985 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:37.535360098 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:37.535451889 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:37.536005974 CEST	443	49763	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:37.536123037 CEST	49763	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:41.091480970 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:41.091566086 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:41.091623068 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:41.091713905 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:41.091730118 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:41.091805935 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:41.092024088 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:41.092021942 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:41.092048883 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:41.092137098 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:41.374465942 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:41.375876904 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:41.375937939 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:41.378740072 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:41.379364014 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:41.470567942 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:41.512077093 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:41.574724913 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:41.574811935 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:41.608217955 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:41.608325005 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:42.195192099 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:42.195254087 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:42.199270010 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:42.199352026 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:42.200275898 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:42.202198982 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:42.202276945 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:42.203140020 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:42.206115961 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:42.206224918 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:42.206327915 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:42.206402063 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:42.206557035 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:42.206742048 CEST	443	49767	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:42.209641933 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:42.209656954 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:42.209681988 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:42.209698915 CEST	49767	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:42.313627958 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:42.313709021 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 01:08:42.314532042 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:42.318032026 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:42.318065882 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 01:08:42.680416107 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:42.691445112 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:42.715682983 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:42.721339941 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:42.721365929 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:42.721448898 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:42.721860886 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 14, 2024 01:08:42.731293917 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:08:42.790277958 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 01:08:42.795438051 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 01:08:42.799933910 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:43.728040934 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:43.728097916 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 01:08:43.728132963 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:43.728768110 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 01:08:43.728842974 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:43.914124012 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:43.919181108 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:44.017671108 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:44.072999954 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:44.378597021 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:44.383970022 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:44.474519968 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:44.520951033 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:44.685378075 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:44.690340996 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:44.787456036 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:44.837711096 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:46.870335102 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:46.875499010 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:46.966717958 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:46.980266094 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:46.985456944 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:47.012731075 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:47.082186937 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:47.128642082 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:54.439282894 CEST	49775	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:54.439356089 CEST	443	49775	34.107.243.93	192.168.2.4
Oct 14, 2024 01:08:54.444809914 CEST	49775	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:54.446324110 CEST	49775	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:54.446358919 CEST	443	49775	34.107.243.93	192.168.2.4
Oct 14, 2024 01:08:54.938277006 CEST	443	49775	34.107.243.93	192.168.2.4
Oct 14, 2024 01:08:54.938373089 CEST	49775	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:54.942290068 CEST	49775	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:54.942311049 CEST	443	49775	34.107.243.93	192.168.2.4
Oct 14, 2024 01:08:54.942378998 CEST	49775	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:54.942611933 CEST	443	49775	34.107.243.93	192.168.2.4
Oct 14, 2024 01:08:54.945080996 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:54.945403099 CEST	49775	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:08:54.951695919 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:55.053308964 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:55.061777115 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:55.067183018 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:55.104819059 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:55.164691925 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:55.220890045 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:58.052866936 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:58.052901983 CEST	443	49776	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:58.056411982 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:58.056524992 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:58.056530952 CEST	443	49776	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:58.075448036 CEST	49777	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:58.075537920 CEST	443	49777	34.149.100.209	192.168.2.4
Oct 14, 2024 01:08:58.077708006 CEST	49777	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:58.077811956 CEST	49777	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:58.077841997 CEST	443	49777	34.149.100.209	192.168.2.4
Oct 14, 2024 01:08:58.079335928 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 14, 2024 01:08:58.079447031 CEST	443	49778	35.190.72.216	192.168.2.4
Oct 14, 2024 01:08:58.083324909 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 14, 2024 01:08:58.084947109 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 14, 2024 01:08:58.085026979 CEST	443	49778	35.190.72.216	192.168.2.4
Oct 14, 2024 01:08:58.085223913 CEST	49779	443	192.168.2.4	52.222.236.120
Oct 14, 2024 01:08:58.085279942 CEST	443	49779	52.222.236.120	192.168.2.4
Oct 14, 2024 01:08:58.085676908 CEST	49779	443	192.168.2.4	52.222.236.120
Oct 14, 2024 01:08:58.085824013 CEST	49779	443	192.168.2.4	52.222.236.120
Oct 14, 2024 01:08:58.085858107 CEST	443	49779	52.222.236.120	192.168.2.4
Oct 14, 2024 01:08:58.093157053 CEST	49780	443	192.168.2.4	35.201.103.21
Oct 14, 2024 01:08:58.093241930 CEST	443	49780	35.201.103.21	192.168.2.4
Oct 14, 2024 01:08:58.095724106 CEST	49780	443	192.168.2.4	35.201.103.21
Oct 14, 2024 01:08:58.097014904 CEST	49780	443	192.168.2.4	35.201.103.21
Oct 14, 2024 01:08:58.097071886 CEST	443	49780	35.201.103.21	192.168.2.4
Oct 14, 2024 01:08:58.550410032 CEST	443	49776	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:58.550860882 CEST	443	49777	34.149.100.209	192.168.2.4
Oct 14, 2024 01:08:58.551515102 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:58.551661015 CEST	49777	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:58.558235884 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:58.558244944 CEST	443	49776	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:58.558640957 CEST	443	49776	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:58.562139034 CEST	49777	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:58.562195063 CEST	443	49777	34.149.100.209	192.168.2.4
Oct 14, 2024 01:08:58.562424898 CEST	443	49777	34.149.100.209	192.168.2.4
Oct 14, 2024 01:08:58.565929890 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:58.566040993 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:58.566447020 CEST	443	49776	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:58.566529989 CEST	49776	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:58.567343950 CEST	49777	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:58.567395926 CEST	49777	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:58.567498922 CEST	443	49777	34.149.100.209	192.168.2.4
Oct 14, 2024 01:08:58.569353104 CEST	49777	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:58.570622921 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:58.574528933 CEST	443	49778	35.190.72.216	192.168.2.4
Oct 14, 2024 01:08:58.574640036 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 14, 2024 01:08:58.575468063 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:58.578730106 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 14, 2024 01:08:58.578742027 CEST	443	49778	35.190.72.216	192.168.2.4
Oct 14, 2024 01:08:58.578804016 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 14, 2024 01:08:58.578936100 CEST	443	49778	35.190.72.216	192.168.2.4
Oct 14, 2024 01:08:58.578989983 CEST	49778	443	192.168.2.4	35.190.72.216
Oct 14, 2024 01:08:58.580811977 CEST	443	49780	35.201.103.21	192.168.2.4
Oct 14, 2024 01:08:58.580925941 CEST	49780	443	192.168.2.4	35.201.103.21
Oct 14, 2024 01:08:58.584984064 CEST	49780	443	192.168.2.4	35.201.103.21
Oct 14, 2024 01:08:58.585012913 CEST	443	49780	35.201.103.21	192.168.2.4
Oct 14, 2024 01:08:58.585061073 CEST	49780	443	192.168.2.4	35.201.103.21
Oct 14, 2024 01:08:58.585319042 CEST	443	49780	35.201.103.21	192.168.2.4
Oct 14, 2024 01:08:58.585582018 CEST	49780	443	192.168.2.4	35.201.103.21
Oct 14, 2024 01:08:58.595170975 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:58.595225096 CEST	443	49781	34.149.100.209	192.168.2.4
Oct 14, 2024 01:08:58.595319986 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:58.595412970 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:58.595427036 CEST	443	49781	34.149.100.209	192.168.2.4
Oct 14, 2024 01:08:58.666326046 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:58.668884993 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:58.673949003 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:58.715322018 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:58.770900965 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:58.815697908 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:58.825965881 CEST	443	49779	52.222.236.120	192.168.2.4
Oct 14, 2024 01:08:58.826040030 CEST	49779	443	192.168.2.4	52.222.236.120
Oct 14, 2024 01:08:58.828563929 CEST	49779	443	192.168.2.4	52.222.236.120
Oct 14, 2024 01:08:58.828583002 CEST	443	49779	52.222.236.120	192.168.2.4
Oct 14, 2024 01:08:58.828968048 CEST	443	49779	52.222.236.120	192.168.2.4
Oct 14, 2024 01:08:58.830430031 CEST	49779	443	192.168.2.4	52.222.236.120
Oct 14, 2024 01:08:58.830506086 CEST	49779	443	192.168.2.4	52.222.236.120
Oct 14, 2024 01:08:58.830606937 CEST	443	49779	52.222.236.120	192.168.2.4
Oct 14, 2024 01:08:58.831208944 CEST	49779	443	192.168.2.4	52.222.236.120
Oct 14, 2024 01:08:58.831209898 CEST	49779	443	192.168.2.4	52.222.236.120
Oct 14, 2024 01:08:58.837959051 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:58.838043928 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:58.841142893 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:58.842329025 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:58.842406988 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:58.842508078 CEST	49784	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:58.842530012 CEST	443	49784	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:58.846021891 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:58.846877098 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:58.846880913 CEST	49784	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:58.846888065 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:58.846966028 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:58.846985102 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:58.847074986 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:58.847090960 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:58.847143888 CEST	49784	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:58.847157955 CEST	443	49784	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:58.938199997 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:58.940764904 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:58.946089029 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:58.978457928 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:59.043332100 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:59.094398022 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:59.096024990 CEST	443	49781	34.149.100.209	192.168.2.4
Oct 14, 2024 01:08:59.096183062 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:59.098963022 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:59.098988056 CEST	443	49781	34.149.100.209	192.168.2.4
Oct 14, 2024 01:08:59.099206924 CEST	443	49781	34.149.100.209	192.168.2.4
Oct 14, 2024 01:08:59.101429939 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:59.101504087 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:59.101553917 CEST	443	49781	34.149.100.209	192.168.2.4
Oct 14, 2024 01:08:59.101656914 CEST	49781	443	192.168.2.4	34.149.100.209
Oct 14, 2024 01:08:59.103774071 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:59.109328985 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:59.200233936 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:59.202430010 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:59.207566977 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:59.248069048 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:59.311558962 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:59.346648932 CEST	443	49784	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:59.346748114 CEST	49784	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:59.347115040 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:59.347132921 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:59.347359896 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:59.349364996 CEST	49784	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:59.349371910 CEST	443	49784	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:59.349575996 CEST	443	49784	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:59.351340055 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:59.351372004 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:59.351696968 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:59.353944063 CEST	49784	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:59.354022980 CEST	49784	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:59.354079962 CEST	443	49784	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:59.354104996 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:59.354161024 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:59.354254961 CEST	49784	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:59.354278088 CEST	443	49782	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:59.354372025 CEST	49782	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:59.358805895 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:59.363701105 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:59.363925934 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:59.371443033 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:59.371516943 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:59.373794079 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:59.373819113 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:59.374604940 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:59.376033068 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:59.376079082 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:59.376243114 CEST	443	49783	35.244.181.201	192.168.2.4
Oct 14, 2024 01:08:59.376296043 CEST	49783	443	192.168.2.4	35.244.181.201
Oct 14, 2024 01:08:59.454389095 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:59.456806898 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:59.461658001 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:59.495471001 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:08:59.558923006 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:08:59.617909908 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:09:09.461494923 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:09:09.466517925 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:09:09.561809063 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:09:09.566838026 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:09:14.965606928 CEST	49792	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:09:14.965724945 CEST	443	49792	34.107.243.93	192.168.2.4
Oct 14, 2024 01:09:14.965889931 CEST	49792	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:09:14.967281103 CEST	49792	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:09:14.967320919 CEST	443	49792	34.107.243.93	192.168.2.4
Oct 14, 2024 01:09:15.479723930 CEST	443	49792	34.107.243.93	192.168.2.4
Oct 14, 2024 01:09:15.491450071 CEST	443	49792	34.107.243.93	192.168.2.4
Oct 14, 2024 01:09:15.493613958 CEST	49792	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:09:15.497353077 CEST	49792	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:09:15.497354031 CEST	49792	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:09:15.497442961 CEST	443	49792	34.107.243.93	192.168.2.4
Oct 14, 2024 01:09:15.498168945 CEST	443	49792	34.107.243.93	192.168.2.4
Oct 14, 2024 01:09:15.498653889 CEST	49792	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:09:15.499883890 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:09:15.504812002 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:09:15.595782042 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:09:15.598611116 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:09:15.603729010 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:09:15.640619993 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:09:15.700562000 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:09:15.740914106 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:09:25.606614113 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:09:25.611653090 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:09:25.706986904 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:09:25.712548971 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:09:27.940231085 CEST	49879	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:27.940315008 CEST	443	49879	34.120.208.123	192.168.2.4
Oct 14, 2024 01:09:27.940354109 CEST	49880	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:27.940409899 CEST	443	49880	34.120.208.123	192.168.2.4
Oct 14, 2024 01:09:27.940598965 CEST	49881	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:27.940625906 CEST	443	49881	34.120.208.123	192.168.2.4
Oct 14, 2024 01:09:27.943892956 CEST	49880	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:27.943928003 CEST	49879	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:27.944008112 CEST	49881	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:27.944019079 CEST	49879	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:27.944047928 CEST	443	49879	34.120.208.123	192.168.2.4
Oct 14, 2024 01:09:27.944175959 CEST	49880	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:27.944210052 CEST	443	49880	34.120.208.123	192.168.2.4
Oct 14, 2024 01:09:27.944257975 CEST	49881	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:27.944268942 CEST	443	49881	34.120.208.123	192.168.2.4
Oct 14, 2024 01:09:28.429441929 CEST	443	49880	34.120.208.123	192.168.2.4
Oct 14, 2024 01:09:28.429533958 CEST	49880	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:28.430016994 CEST	443	49879	34.120.208.123	192.168.2.4
Oct 14, 2024 01:09:28.431418896 CEST	49879	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:28.432713985 CEST	49880	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:28.432734966 CEST	443	49880	34.120.208.123	192.168.2.4
Oct 14, 2024 01:09:28.433059931 CEST	443	49880	34.120.208.123	192.168.2.4
Oct 14, 2024 01:09:28.435034037 CEST	49879	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:28.435055971 CEST	443	49879	34.120.208.123	192.168.2.4
Oct 14, 2024 01:09:28.435400963 CEST	443	49879	34.120.208.123	192.168.2.4
Oct 14, 2024 01:09:28.437871933 CEST	49880	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:28.437988997 CEST	49880	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:28.438076973 CEST	443	49880	34.120.208.123	192.168.2.4
Oct 14, 2024 01:09:28.438247919 CEST	49879	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:28.438301086 CEST	49879	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:28.438426018 CEST	443	49879	34.120.208.123	192.168.2.4
Oct 14, 2024 01:09:28.438493967 CEST	49880	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:28.438503027 CEST	49879	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:28.445846081 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:09:28.450697899 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:09:28.456315994 CEST	443	49881	34.120.208.123	192.168.2.4
Oct 14, 2024 01:09:28.456386089 CEST	49881	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:28.459459066 CEST	49881	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:28.459462881 CEST	443	49881	34.120.208.123	192.168.2.4
Oct 14, 2024 01:09:28.459778070 CEST	443	49881	34.120.208.123	192.168.2.4
Oct 14, 2024 01:09:28.462125063 CEST	49881	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:28.462222099 CEST	49881	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:28.462282896 CEST	443	49881	34.120.208.123	192.168.2.4
Oct 14, 2024 01:09:28.462753057 CEST	49881	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:09:28.542351007 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:09:28.552194118 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:09:28.557151079 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:09:28.585705996 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:09:28.654337883 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:09:28.701647997 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:09:38.557291031 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:09:38.562155962 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:09:38.657757998 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:09:38.662878036 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:09:48.565213919 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:09:48.570476055 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:09:48.664891005 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:09:48.669940948 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:09:56.348426104 CEST	50056	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:09:56.348510981 CEST	443	50056	34.107.243.93	192.168.2.4
Oct 14, 2024 01:09:56.348823071 CEST	50056	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:09:56.350162029 CEST	50056	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:09:56.350239992 CEST	443	50056	34.107.243.93	192.168.2.4
Oct 14, 2024 01:09:56.822709084 CEST	443	50056	34.107.243.93	192.168.2.4
Oct 14, 2024 01:09:56.822913885 CEST	50056	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:09:56.831773996 CEST	50056	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:09:56.831857920 CEST	443	50056	34.107.243.93	192.168.2.4
Oct 14, 2024 01:09:56.831891060 CEST	50056	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:09:56.832006931 CEST	443	50056	34.107.243.93	192.168.2.4
Oct 14, 2024 01:09:56.832189083 CEST	50056	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:09:56.834834099 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:09:56.839814901 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:09:56.934170008 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:09:56.939924002 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:09:56.945364952 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:09:56.988703012 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:09:57.042697906 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:09:57.088977098 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:10:06.947233915 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:10:06.952631950 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:10:07.047101974 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:10:07.052418947 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:10:16.957854033 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:10:16.963320017 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:10:17.058092117 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:10:17.063544035 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:10:26.966855049 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:10:26.971904993 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:10:27.070753098 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:10:27.076738119 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:10:36.977463961 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:10:36.982626915 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:10:37.077626944 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:10:37.083453894 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:10:46.985761881 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:10:46.991199017 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:10:47.086225986 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:10:47.092036009 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:10:56.999310970 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:10:57.004235983 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:10:57.099591017 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:10:57.104501963 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:11:07.011272907 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:11:07.016531944 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:11:07.111418009 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:11:07.116662025 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:11:17.024636030 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:11:17.029505014 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:11:17.032088041 CEST	50057	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:11:17.032201052 CEST	443	50057	34.107.243.93	192.168.2.4
Oct 14, 2024 01:11:17.032269001 CEST	50057	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:11:17.034409046 CEST	50057	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:11:17.034447908 CEST	443	50057	34.107.243.93	192.168.2.4
Oct 14, 2024 01:11:17.125111103 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:11:17.130074024 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:11:17.520971060 CEST	443	50057	34.107.243.93	192.168.2.4
Oct 14, 2024 01:11:17.521121979 CEST	50057	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:11:17.530128956 CEST	50057	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:11:17.530178070 CEST	443	50057	34.107.243.93	192.168.2.4
Oct 14, 2024 01:11:17.530287027 CEST	50057	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:11:17.530787945 CEST	443	50057	34.107.243.93	192.168.2.4
Oct 14, 2024 01:11:17.530916929 CEST	50057	443	192.168.2.4	34.107.243.93
Oct 14, 2024 01:11:17.533629894 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:11:17.538616896 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:11:17.632215977 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:11:17.636352062 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:11:17.641685009 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:11:17.673355103 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:11:17.738879919 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:11:17.789469957 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:11:27.636709929 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:11:27.641855001 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:11:27.748440981 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:11:27.753607035 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:11:28.685347080 CEST	50058	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:28.685395002 CEST	443	50058	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:28.685501099 CEST	50059	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:28.685576916 CEST	50060	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:28.685590982 CEST	443	50059	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:28.685622931 CEST	443	50060	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:28.685813904 CEST	50058	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:28.685822964 CEST	50061	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:28.685909986 CEST	443	50061	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:28.685939074 CEST	50058	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:28.685941935 CEST	50060	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:28.685945988 CEST	50059	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:28.685946941 CEST	443	50058	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:28.686070919 CEST	50060	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:28.686084986 CEST	443	50060	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:28.686181068 CEST	50059	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:28.686204910 CEST	443	50059	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:28.686296940 CEST	50061	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:28.686407089 CEST	50061	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:28.686434984 CEST	443	50061	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:29.164441109 CEST	443	50058	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:29.164661884 CEST	50058	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.167792082 CEST	50058	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.167820930 CEST	443	50058	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:29.168247938 CEST	443	50058	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:29.169948101 CEST	50058	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.170057058 CEST	50058	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.170164108 CEST	443	50058	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:29.170285940 CEST	50058	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.172460079 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:11:29.176624060 CEST	443	50059	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:29.177316904 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:11:29.179287910 CEST	50059	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.179446936 CEST	443	50061	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:29.179591894 CEST	50061	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.182018995 CEST	50059	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.182048082 CEST	443	50059	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:29.182609081 CEST	443	50059	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:29.184717894 CEST	50061	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.184743881 CEST	443	50061	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:29.185887098 CEST	443	50061	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:29.187248945 CEST	50059	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.187338114 CEST	50059	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.187515020 CEST	443	50059	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:29.187578917 CEST	50061	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.187633038 CEST	50061	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.187747955 CEST	443	50061	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:29.188002110 CEST	443	50060	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:29.188020945 CEST	50061	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.188035011 CEST	50059	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.188040972 CEST	50061	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.188102007 CEST	50060	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.190994024 CEST	50060	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.191000938 CEST	443	50060	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:29.191375971 CEST	443	50060	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:29.193609953 CEST	50060	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.193708897 CEST	50060	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.193802118 CEST	443	50060	34.120.208.123	192.168.2.4
Oct 14, 2024 01:11:29.194814920 CEST	50060	443	192.168.2.4	34.120.208.123
Oct 14, 2024 01:11:29.268007994 CEST	80	49749	34.107.221.82	192.168.2.4
Oct 14, 2024 01:11:29.272910118 CEST	49758	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:11:29.277864933 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:11:29.320887089 CEST	49749	80	192.168.2.4	34.107.221.82
Oct 14, 2024 01:11:29.375680923 CEST	80	49758	34.107.221.82	192.168.2.4
Oct 14, 2024 01:11:29.421076059 CEST	49758	80	192.168.2.4	34.107.221.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 01:08:29.382186890 CEST	56863	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:29.389379025 CEST	53	56863	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:29.390742064 CEST	63176	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:29.397988081 CEST	53	63176	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:31.410059929 CEST	59251	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:31.410345078 CEST	63053	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:31.417249918 CEST	53	63053	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:31.417895079 CEST	58068	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:31.418423891 CEST	60754	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:31.424864054 CEST	53	58068	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:31.425050020 CEST	53	60754	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:31.425899029 CEST	50127	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:31.425976038 CEST	58913	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:31.432724953 CEST	53	58913	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:31.432787895 CEST	53	50127	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:31.998552084 CEST	55899	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:32.005552053 CEST	53	55899	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:32.006814957 CEST	55086	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:32.009876966 CEST	51378	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:32.012442112 CEST	53956	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:32.016308069 CEST	53	55086	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:32.016748905 CEST	53	51378	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:32.019706964 CEST	53	53956	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:32.019865036 CEST	57945	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:32.020459890 CEST	60799	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:32.021780014 CEST	63490	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:32.026447058 CEST	53	57945	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:32.027863026 CEST	53	60799	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:32.028486967 CEST	53	63490	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:32.044118881 CEST	57803	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:32.051525116 CEST	53	57803	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:32.114928007 CEST	52584	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:32.116389990 CEST	58685	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:32.121843100 CEST	53	52584	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:32.123023033 CEST	62688	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:32.123110056 CEST	53	58685	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:32.280184984 CEST	49711	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:32.288839102 CEST	53	49711	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:32.290153980 CEST	65281	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:32.301563025 CEST	53	65281	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:32.305869102 CEST	50039	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:32.312973022 CEST	53	50039	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:34.473268032 CEST	55713	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:34.497011900 CEST	53	59082	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:34.663292885 CEST	62494	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:34.670561075 CEST	53	62494	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:34.672154903 CEST	52047	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:34.679950953 CEST	53	52047	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:34.685784101 CEST	53059	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:34.692737103 CEST	53	53059	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:34.915904045 CEST	54385	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:34.918766022 CEST	64907	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:34.922993898 CEST	53	54385	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:34.924249887 CEST	51694	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:34.925455093 CEST	53	64907	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:34.926451921 CEST	62137	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:34.930916071 CEST	53	51694	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:34.933168888 CEST	53	62137	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:34.934813976 CEST	62859	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:34.942230940 CEST	53	62859	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:36.824810982 CEST	53361	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:36.832046032 CEST	53	53361	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:36.849183083 CEST	56913	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:36.856700897 CEST	53	56913	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:36.857319117 CEST	57312	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:36.864475965 CEST	53	57312	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:41.083318949 CEST	54182	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:41.090322971 CEST	53	54182	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:41.132102013 CEST	65024	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:41.132488966 CEST	62268	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:41.132803917 CEST	63425	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:41.138786077 CEST	53	65024	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:41.139281988 CEST	53	62268	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:41.140057087 CEST	53	63425	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:41.143265963 CEST	63794	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:41.144428968 CEST	55332	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:41.144660950 CEST	56237	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:41.150079012 CEST	53	63794	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:41.151030064 CEST	53	55332	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:41.151496887 CEST	53	56237	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:41.155628920 CEST	55775	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:41.156388044 CEST	60578	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:41.157067060 CEST	54920	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:41.162401915 CEST	53	55775	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:41.162983894 CEST	53	60578	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:41.163204908 CEST	49816	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:41.164185047 CEST	64639	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:41.164410114 CEST	53	54920	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:41.169872999 CEST	53	49816	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:41.170564890 CEST	49596	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:41.170664072 CEST	53	64639	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:41.171241045 CEST	54534	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:41.177457094 CEST	53	49596	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:41.177812099 CEST	53	54534	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:41.178134918 CEST	52296	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:41.178643942 CEST	61601	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:41.185146093 CEST	53	52296	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:41.185703039 CEST	53	61601	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:42.323019981 CEST	55405	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:42.329821110 CEST	53	55405	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:54.439629078 CEST	63923	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:54.446923018 CEST	53	63923	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:54.945337057 CEST	49822	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:58.058173895 CEST	50067	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:58.064914942 CEST	53	50067	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:58.072879076 CEST	58919	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:58.080375910 CEST	53	58919	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:58.081746101 CEST	50835	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:58.082884073 CEST	51496	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:58.085627079 CEST	64946	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:58.088815928 CEST	53	50835	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:58.089883089 CEST	53	51496	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:58.092442036 CEST	53	64946	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:58.092448950 CEST	50469	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:58.093643904 CEST	62982	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:58.097831964 CEST	60410	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:58.099627972 CEST	53	50469	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:58.100933075 CEST	53	62982	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:58.104346037 CEST	53	60410	1.1.1.1	192.168.2.4
Oct 14, 2024 01:08:58.110137939 CEST	64845	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:08:58.117224932 CEST	53	64845	1.1.1.1	192.168.2.4
Oct 14, 2024 01:09:14.965861082 CEST	54713	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:09:14.972939014 CEST	53	54713	1.1.1.1	192.168.2.4
Oct 14, 2024 01:09:27.938261032 CEST	51590	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:09:27.945296049 CEST	53	51590	1.1.1.1	192.168.2.4
Oct 14, 2024 01:09:56.339890957 CEST	50349	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:09:56.347408056 CEST	53	50349	1.1.1.1	192.168.2.4
Oct 14, 2024 01:09:56.348282099 CEST	50200	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:09:56.357867956 CEST	53	50200	1.1.1.1	192.168.2.4
Oct 14, 2024 01:09:56.835422039 CEST	51318	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:11:17.014810085 CEST	62175	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:11:17.022288084 CEST	53	62175	1.1.1.1	192.168.2.4
Oct 14, 2024 01:11:17.024014950 CEST	55660	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:11:17.030853987 CEST	53	55660	1.1.1.1	192.168.2.4
Oct 14, 2024 01:11:17.031558990 CEST	52932	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:11:17.038908958 CEST	53	52932	1.1.1.1	192.168.2.4
Oct 14, 2024 01:11:17.533739090 CEST	58187	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:11:28.686271906 CEST	52659	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:11:28.693197012 CEST	53	52659	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 01:08:29.382186890 CEST	192.168.2.4	1.1.1.1	0x7121	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:29.390742064 CEST	192.168.2.4	1.1.1.1	0xb5a7	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 01:08:31.410059929 CEST	192.168.2.4	1.1.1.1	0x3ca9	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:31.410345078 CEST	192.168.2.4	1.1.1.1	0x4831	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:31.417895079 CEST	192.168.2.4	1.1.1.1	0xe8c5	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:31.418423891 CEST	192.168.2.4	1.1.1.1	0xa0d0	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:31.425899029 CEST	192.168.2.4	1.1.1.1	0x37a1	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 01:08:31.425976038 CEST	192.168.2.4	1.1.1.1	0x2c78	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 14, 2024 01:08:31.998552084 CEST	192.168.2.4	1.1.1.1	0x1310	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.006814957 CEST	192.168.2.4	1.1.1.1	0x3d2e	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.009876966 CEST	192.168.2.4	1.1.1.1	0x7619	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.012442112 CEST	192.168.2.4	1.1.1.1	0xa0ca	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.019865036 CEST	192.168.2.4	1.1.1.1	0x88c2	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 01:08:32.020459890 CEST	192.168.2.4	1.1.1.1	0x3ff3	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.021780014 CEST	192.168.2.4	1.1.1.1	0xd8fa	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 01:08:32.044118881 CEST	192.168.2.4	1.1.1.1	0xee02	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 01:08:32.114928007 CEST	192.168.2.4	1.1.1.1	0xb9c	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.116389990 CEST	192.168.2.4	1.1.1.1	0x1b7b	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.123023033 CEST	192.168.2.4	1.1.1.1	0x2626	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.280184984 CEST	192.168.2.4	1.1.1.1	0x821	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.290153980 CEST	192.168.2.4	1.1.1.1	0x7d7e	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.305869102 CEST	192.168.2.4	1.1.1.1	0x55ce	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 01:08:34.473268032 CEST	192.168.2.4	1.1.1.1	0x23b1	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:34.663292885 CEST	192.168.2.4	1.1.1.1	0x1db5	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:34.672154903 CEST	192.168.2.4	1.1.1.1	0xae1e	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:34.685784101 CEST	192.168.2.4	1.1.1.1	0x80a6	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 01:08:34.915904045 CEST	192.168.2.4	1.1.1.1	0x788c	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:34.918766022 CEST	192.168.2.4	1.1.1.1	0x4b0c	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:34.924249887 CEST	192.168.2.4	1.1.1.1	0x7942	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 01:08:34.926451921 CEST	192.168.2.4	1.1.1.1	0xc7f4	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:34.934813976 CEST	192.168.2.4	1.1.1.1	0x5394	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 01:08:36.824810982 CEST	192.168.2.4	1.1.1.1	0x2112	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:36.849183083 CEST	192.168.2.4	1.1.1.1	0x69a3	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:36.857319117 CEST	192.168.2.4	1.1.1.1	0x648	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 01:08:41.083318949 CEST	192.168.2.4	1.1.1.1	0xe4fc	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 01:08:41.132102013 CEST	192.168.2.4	1.1.1.1	0x5f40	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.132488966 CEST	192.168.2.4	1.1.1.1	0xa9db	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.132803917 CEST	192.168.2.4	1.1.1.1	0x5c32	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.143265963 CEST	192.168.2.4	1.1.1.1	0x517b	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.144428968 CEST	192.168.2.4	1.1.1.1	0xaf9b	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.144660950 CEST	192.168.2.4	1.1.1.1	0x171c	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.155628920 CEST	192.168.2.4	1.1.1.1	0x3028	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 14, 2024 01:08:41.156388044 CEST	192.168.2.4	1.1.1.1	0xd94b	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 14, 2024 01:08:41.157067060 CEST	192.168.2.4	1.1.1.1	0xae29	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 14, 2024 01:08:41.163204908 CEST	192.168.2.4	1.1.1.1	0xf837	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.164185047 CEST	192.168.2.4	1.1.1.1	0x967	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.170564890 CEST	192.168.2.4	1.1.1.1	0x3929	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.171241045 CEST	192.168.2.4	1.1.1.1	0x2e3b	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.178134918 CEST	192.168.2.4	1.1.1.1	0x135	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 14, 2024 01:08:41.178643942 CEST	192.168.2.4	1.1.1.1	0x94b2	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 14, 2024 01:08:42.323019981 CEST	192.168.2.4	1.1.1.1	0x12b5	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 01:08:54.439629078 CEST	192.168.2.4	1.1.1.1	0xb84b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 01:08:54.945337057 CEST	192.168.2.4	1.1.1.1	0x5efe	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:58.058173895 CEST	192.168.2.4	1.1.1.1	0x312e	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 01:08:58.072879076 CEST	192.168.2.4	1.1.1.1	0xa44d	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:58.081746101 CEST	192.168.2.4	1.1.1.1	0xd53	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:58.082884073 CEST	192.168.2.4	1.1.1.1	0x399c	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:58.085627079 CEST	192.168.2.4	1.1.1.1	0xec52	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:58.092448950 CEST	192.168.2.4	1.1.1.1	0x986f	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 01:08:58.093643904 CEST	192.168.2.4	1.1.1.1	0x92e9	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:58.097831964 CEST	192.168.2.4	1.1.1.1	0x3fd3	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 14, 2024 01:08:58.110137939 CEST	192.168.2.4	1.1.1.1	0x3053	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 01:09:14.965861082 CEST	192.168.2.4	1.1.1.1	0xad37	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 01:09:27.938261032 CEST	192.168.2.4	1.1.1.1	0x7255	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 01:09:56.339890957 CEST	192.168.2.4	1.1.1.1	0x5d74	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:09:56.348282099 CEST	192.168.2.4	1.1.1.1	0xfe33	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 01:09:56.835422039 CEST	192.168.2.4	1.1.1.1	0xa4c7	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:11:17.014810085 CEST	192.168.2.4	1.1.1.1	0xfaa8	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:11:17.024014950 CEST	192.168.2.4	1.1.1.1	0x89c3	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:11:17.031558990 CEST	192.168.2.4	1.1.1.1	0x1ff9	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 01:11:17.533739090 CEST	192.168.2.4	1.1.1.1	0xc567	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:11:28.686271906 CEST	192.168.2.4	1.1.1.1	0xd823	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 01:08:29.376611948 CEST	1.1.1.1	192.168.2.4	0x5108	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:29.389379025 CEST	1.1.1.1	192.168.2.4	0x7121	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:31.416887045 CEST	1.1.1.1	192.168.2.4	0x3ca9	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:08:31.416887045 CEST	1.1.1.1	192.168.2.4	0x3ca9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:31.417249918 CEST	1.1.1.1	192.168.2.4	0x4831	No error (0)	youtube.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:31.424864054 CEST	1.1.1.1	192.168.2.4	0xe8c5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:31.425050020 CEST	1.1.1.1	192.168.2.4	0xa0d0	No error (0)	youtube.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:31.432724953 CEST	1.1.1.1	192.168.2.4	0x2c78	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 14, 2024 01:08:31.432787895 CEST	1.1.1.1	192.168.2.4	0x37a1	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 14, 2024 01:08:32.005552053 CEST	1.1.1.1	192.168.2.4	0x1310	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.010137081 CEST	1.1.1.1	192.168.2.4	0xb491	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:08:32.010137081 CEST	1.1.1.1	192.168.2.4	0xb491	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.016308069 CEST	1.1.1.1	192.168.2.4	0x3d2e	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.016748905 CEST	1.1.1.1	192.168.2.4	0x7619	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:08:32.016748905 CEST	1.1.1.1	192.168.2.4	0x7619	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.019706964 CEST	1.1.1.1	192.168.2.4	0xa0ca	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.027863026 CEST	1.1.1.1	192.168.2.4	0x3ff3	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.121843100 CEST	1.1.1.1	192.168.2.4	0xb9c	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.123110056 CEST	1.1.1.1	192.168.2.4	0x1b7b	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.123110056 CEST	1.1.1.1	192.168.2.4	0x1b7b	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.129873037 CEST	1.1.1.1	192.168.2.4	0x2626	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:08:32.129873037 CEST	1.1.1.1	192.168.2.4	0x2626	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.288839102 CEST	1.1.1.1	192.168.2.4	0x821	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:08:32.288839102 CEST	1.1.1.1	192.168.2.4	0x821	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:08:32.288839102 CEST	1.1.1.1	192.168.2.4	0x821	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.301563025 CEST	1.1.1.1	192.168.2.4	0x7d7e	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:32.312973022 CEST	1.1.1.1	192.168.2.4	0x55ce	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 14, 2024 01:08:34.480758905 CEST	1.1.1.1	192.168.2.4	0x23b1	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:08:34.670561075 CEST	1.1.1.1	192.168.2.4	0x1db5	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:34.679950953 CEST	1.1.1.1	192.168.2.4	0xae1e	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:34.908963919 CEST	1.1.1.1	192.168.2.4	0x71f4	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:34.910037041 CEST	1.1.1.1	192.168.2.4	0x3de2	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:08:34.910037041 CEST	1.1.1.1	192.168.2.4	0x3de2	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:34.922993898 CEST	1.1.1.1	192.168.2.4	0x788c	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:34.925455093 CEST	1.1.1.1	192.168.2.4	0x4b0c	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:08:34.925455093 CEST	1.1.1.1	192.168.2.4	0x4b0c	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:34.933168888 CEST	1.1.1.1	192.168.2.4	0xc7f4	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:36.832046032 CEST	1.1.1.1	192.168.2.4	0x2112	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:08:36.832046032 CEST	1.1.1.1	192.168.2.4	0x2112	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:08:36.832046032 CEST	1.1.1.1	192.168.2.4	0x2112	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:36.856700897 CEST	1.1.1.1	192.168.2.4	0x69a3	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:37.026329041 CEST	1.1.1.1	192.168.2.4	0x3708	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.138786077 CEST	1.1.1.1	192.168.2.4	0x5f40	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:08:41.138786077 CEST	1.1.1.1	192.168.2.4	0x5f40	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.138786077 CEST	1.1.1.1	192.168.2.4	0x5f40	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.138786077 CEST	1.1.1.1	192.168.2.4	0x5f40	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.138786077 CEST	1.1.1.1	192.168.2.4	0x5f40	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.138786077 CEST	1.1.1.1	192.168.2.4	0x5f40	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.138786077 CEST	1.1.1.1	192.168.2.4	0x5f40	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.138786077 CEST	1.1.1.1	192.168.2.4	0x5f40	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.138786077 CEST	1.1.1.1	192.168.2.4	0x5f40	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.138786077 CEST	1.1.1.1	192.168.2.4	0x5f40	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.138786077 CEST	1.1.1.1	192.168.2.4	0x5f40	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.138786077 CEST	1.1.1.1	192.168.2.4	0x5f40	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.138786077 CEST	1.1.1.1	192.168.2.4	0x5f40	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.138786077 CEST	1.1.1.1	192.168.2.4	0x5f40	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.138786077 CEST	1.1.1.1	192.168.2.4	0x5f40	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.138786077 CEST	1.1.1.1	192.168.2.4	0x5f40	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.138786077 CEST	1.1.1.1	192.168.2.4	0x5f40	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.139281988 CEST	1.1.1.1	192.168.2.4	0xa9db	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:08:41.139281988 CEST	1.1.1.1	192.168.2.4	0xa9db	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.140057087 CEST	1.1.1.1	192.168.2.4	0x5c32	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:08:41.140057087 CEST	1.1.1.1	192.168.2.4	0x5c32	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.150079012 CEST	1.1.1.1	192.168.2.4	0x517b	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.150079012 CEST	1.1.1.1	192.168.2.4	0x517b	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.150079012 CEST	1.1.1.1	192.168.2.4	0x517b	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.150079012 CEST	1.1.1.1	192.168.2.4	0x517b	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.150079012 CEST	1.1.1.1	192.168.2.4	0x517b	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.150079012 CEST	1.1.1.1	192.168.2.4	0x517b	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.150079012 CEST	1.1.1.1	192.168.2.4	0x517b	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.150079012 CEST	1.1.1.1	192.168.2.4	0x517b	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.150079012 CEST	1.1.1.1	192.168.2.4	0x517b	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.150079012 CEST	1.1.1.1	192.168.2.4	0x517b	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.150079012 CEST	1.1.1.1	192.168.2.4	0x517b	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.150079012 CEST	1.1.1.1	192.168.2.4	0x517b	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.150079012 CEST	1.1.1.1	192.168.2.4	0x517b	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.150079012 CEST	1.1.1.1	192.168.2.4	0x517b	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.150079012 CEST	1.1.1.1	192.168.2.4	0x517b	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.150079012 CEST	1.1.1.1	192.168.2.4	0x517b	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.151030064 CEST	1.1.1.1	192.168.2.4	0xaf9b	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.151496887 CEST	1.1.1.1	192.168.2.4	0x171c	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.162401915 CEST	1.1.1.1	192.168.2.4	0x3028	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 01:08:41.162401915 CEST	1.1.1.1	192.168.2.4	0x3028	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 01:08:41.162401915 CEST	1.1.1.1	192.168.2.4	0x3028	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 01:08:41.162401915 CEST	1.1.1.1	192.168.2.4	0x3028	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 01:08:41.162983894 CEST	1.1.1.1	192.168.2.4	0xd94b	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 14, 2024 01:08:41.164410114 CEST	1.1.1.1	192.168.2.4	0xae29	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 14, 2024 01:08:41.169872999 CEST	1.1.1.1	192.168.2.4	0xf837	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:08:41.169872999 CEST	1.1.1.1	192.168.2.4	0xf837	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.169872999 CEST	1.1.1.1	192.168.2.4	0xf837	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.169872999 CEST	1.1.1.1	192.168.2.4	0xf837	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.169872999 CEST	1.1.1.1	192.168.2.4	0xf837	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.170664072 CEST	1.1.1.1	192.168.2.4	0x967	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.177457094 CEST	1.1.1.1	192.168.2.4	0x3929	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.177457094 CEST	1.1.1.1	192.168.2.4	0x3929	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.177457094 CEST	1.1.1.1	192.168.2.4	0x3929	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.177457094 CEST	1.1.1.1	192.168.2.4	0x3929	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:41.177812099 CEST	1.1.1.1	192.168.2.4	0x2e3b	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:54.955101013 CEST	1.1.1.1	192.168.2.4	0x5efe	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:08:54.955101013 CEST	1.1.1.1	192.168.2.4	0x5efe	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:58.080375910 CEST	1.1.1.1	192.168.2.4	0xa44d	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:58.080375910 CEST	1.1.1.1	192.168.2.4	0xa44d	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:58.080375910 CEST	1.1.1.1	192.168.2.4	0xa44d	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:58.080375910 CEST	1.1.1.1	192.168.2.4	0xa44d	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:58.086340904 CEST	1.1.1.1	192.168.2.4	0xbcc6	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:58.088815928 CEST	1.1.1.1	192.168.2.4	0xd53	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:58.089883089 CEST	1.1.1.1	192.168.2.4	0x399c	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:08:58.089883089 CEST	1.1.1.1	192.168.2.4	0x399c	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:58.092442036 CEST	1.1.1.1	192.168.2.4	0xec52	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:58.092442036 CEST	1.1.1.1	192.168.2.4	0xec52	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:58.092442036 CEST	1.1.1.1	192.168.2.4	0xec52	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:58.092442036 CEST	1.1.1.1	192.168.2.4	0xec52	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:58.100933075 CEST	1.1.1.1	192.168.2.4	0x92e9	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:08:59.410509109 CEST	1.1.1.1	192.168.2.4	0x861b	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:08:59.410509109 CEST	1.1.1.1	192.168.2.4	0x861b	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:09:27.927758932 CEST	1.1.1.1	192.168.2.4	0x9e15	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:09:56.347408056 CEST	1.1.1.1	192.168.2.4	0x5d74	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:09:56.842137098 CEST	1.1.1.1	192.168.2.4	0xa4c7	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:09:56.842137098 CEST	1.1.1.1	192.168.2.4	0xa4c7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:11:17.022288084 CEST	1.1.1.1	192.168.2.4	0xfaa8	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:11:17.030853987 CEST	1.1.1.1	192.168.2.4	0x89c3	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:11:17.543899059 CEST	1.1.1.1	192.168.2.4	0xc567	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 01:11:17.543899059 CEST	1.1.1.1	192.168.2.4	0xc567	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:11:28.684395075 CEST	1.1.1.1	192.168.2.4	0xd7f4	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	2720	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:08:31.605079889 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 01:08:32.057884932 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 75479 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49744	34.107.221.82	80	2720	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:08:32.140469074 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 01:08:32.600313902 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 18936 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49749	34.107.221.82	80	2720	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:08:32.667977095 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 01:08:33.118954897 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 75480 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 01:08:33.523241997 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 01:08:33.619868994 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 75480 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 01:08:34.536257029 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 01:08:34.632611990 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 75481 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 01:08:35.262667894 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 01:08:35.360006094 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 75482 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 01:08:36.823978901 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 01:08:36.919945955 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 75483 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 01:08:41.374465942 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 01:08:41.470567942 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 75488 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 01:08:44.378597021 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 01:08:44.474519968 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 75491 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 01:08:46.870335102 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 01:08:46.966717958 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 75493 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 01:08:54.945080996 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 01:08:55.053308964 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 75502 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 01:08:58.570622921 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 01:08:58.666326046 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 75505 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 01:08:58.841142893 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 01:08:58.938199997 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 75505 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 01:08:59.103774071 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 01:08:59.200233936 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 75506 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 01:08:59.358805895 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 01:08:59.454389095 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 75506 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 01:09:09.461494923 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 01:09:15.499883890 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 01:09:15.595782042 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 75522 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 01:09:25.606614113 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 01:09:28.445846081 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 01:09:28.542351007 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 75535 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 01:09:38.557291031 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 01:09:48.565213919 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 01:09:56.834834099 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 01:09:56.934170008 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 75563 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 01:10:06.947233915 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 01:10:16.957854033 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 01:10:26.966855049 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 01:10:36.977463961 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 01:10:46.985761881 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 01:10:56.999310970 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 01:11:17.533629894 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 01:11:17.632215977 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 75644 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 01:11:29.172460079 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 01:11:29.268007994 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 75656 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49753	34.107.221.82	80	2720	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:08:33.569538116 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49756	34.107.221.82	80	2720	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:08:34.225539923 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49758	34.107.221.82	80	2720	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:08:34.661493063 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 01:08:35.157603979 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 18939 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 01:08:35.363316059 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 01:08:35.465039015 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 18939 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 01:08:37.044682980 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 01:08:37.147315979 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 18941 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 01:08:43.914124012 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 01:08:44.017671108 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 18947 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 01:08:44.685378075 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 01:08:44.787456036 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 18948 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 01:08:46.980266094 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 01:08:47.082186937 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 18951 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 01:08:55.061777115 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 01:08:55.164691925 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 18959 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 01:08:58.668884993 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 01:08:58.770900965 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 18962 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 01:08:58.940764904 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 01:08:59.043332100 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 18962 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 01:08:59.202430010 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 01:08:59.311558962 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 18963 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 01:08:59.456806898 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 01:08:59.558923006 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 18963 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 01:09:09.561809063 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 01:09:15.598611116 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 01:09:15.700562000 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 18979 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 01:09:25.706986904 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 01:09:28.552194118 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 01:09:28.654337883 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 18992 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 01:09:38.657757998 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 01:09:48.664891005 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 01:09:56.939924002 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 01:09:57.042697906 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 19020 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 01:10:07.047101974 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 01:10:17.058092117 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 01:10:27.070753098 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 01:10:37.077626944 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 01:10:47.086225986 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 01:10:57.099591017 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 01:11:17.636352062 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 01:11:17.738879919 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 19101 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 01:11:29.272910118 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 01:11:29.375680923 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 19113 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Target ID:	0
Start time:	19:08:23
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x840000
File size:	919'552 bytes
MD5 hash:	0E2E68EE546C58ADD51D948916B1EC65
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:08:23
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x960000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:08:23
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	19:08:25
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x960000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:08:25
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:08:25
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x960000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:08:25
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:08:26
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x7ff7699e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	19:08:26
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0xa20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:08:26
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x960000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	19:08:26
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	19:08:26
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	19:08:26
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	19:08:26
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	19:08:27
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8742fd4-1926-4b7d-b5cd-227d1ca53650} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" 235cde6f710 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	19:08:29
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2792 -parentBuildID 20230927232528 -prefsHandle 1392 -prefMapHandle 3364 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7db5ca4-9b73-4566-854b-98eaaea695b3} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" 235dfecbf10 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	19:08:34
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5460 -prefMapHandle 5440 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {322df133-639f-4d6c-a4ae-c75d38c0f85a} 2720 "\\.\pipe\gecko-crash-server-pipe.2720" 235e7749910 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	1513
Total number of Limit Nodes:	54

Executed Functions

Function 008442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0084430D

Part of subcall function 00846B57: _wcslen.LIBCMT ref: 00846B6A

GetCurrentProcess.KERNEL32(?,008DCB64,00000000,?,?), ref: 00844422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00844429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00844454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00844466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00844474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0084447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008444A0

Strings

|O, xrefs: 008836F8
kernel32.dll, xrefs: 0084444F
GetNativeSystemInfo, xrefs: 00844460

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: aebbb2bd1695bd5f5c539bc97c0c671630e44985ced7a1c10d13c3e63161df38
Instruction ID: ecb33a3f133d6f32657937bf401d4b0308372a9937fab5d117de4f3c91d1e793
Opcode Fuzzy Hash: aebbb2bd1695bd5f5c539bc97c0c671630e44985ced7a1c10d13c3e63161df38
Instruction Fuzzy Hash: 32A1D761B2E2C8FFCB11E7697C443D57FA4FB26704B08D4AAE271D3629D2204546FB25

Function 008442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008450AA,?,?,00000000,00000000), ref: 008442B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008450AA,?,?,00000000,00000000), ref: 008442C9
LoadResource.KERNEL32(?,00000000,?,?,008450AA,?,?,00000000,00000000,?,?,?,?,?,?,00844F20), ref: 008835BE
SizeofResource.KERNEL32(?,00000000,?,?,008450AA,?,?,00000000,00000000,?,?,?,?,?,?,00844F20), ref: 008835D3
LockResource.KERNEL32(008450AA,?,?,008450AA,?,?,00000000,00000000,?,?,?,?,?,?,00844F20,?), ref: 008835E6

Strings

SCRIPT, xrefs: 008442BF

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 4d3b96f7cbae6d1fe1f5af8beb7f038e80707b4034fac812979b2fbea2e85e20
Instruction ID: d96ea2d093423ae39a1bd6878d4cfa169e6a365e1da810f729aefc49de4a94c4
Opcode Fuzzy Hash: 4d3b96f7cbae6d1fe1f5af8beb7f038e80707b4034fac812979b2fbea2e85e20
Instruction Fuzzy Hash: 82117CB0201716BFDB218BA5DC48F277BBAFBC5B51F10426EF412D6290DBB2D800C620

Function 00882BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00842B6B

Part of subcall function 00843A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00911418,?,00842E7F,?,?,?,00000000), ref: 00843A78

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00902224), ref: 00882C10
ShellExecuteW.SHELL32(00000000,?,?,00902224), ref: 00882C17

Strings

runas, xrefs: 00882C0B

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 573a6d333639c96880d82a875556e0be66e83194072a63ad1cccd0e71c2038fd
Instruction ID: 0294ad6e995551cfc1b1357660fd6a949c67701a5a30a4b5af9c602aae951d31
Opcode Fuzzy Hash: 573a6d333639c96880d82a875556e0be66e83194072a63ad1cccd0e71c2038fd
Instruction Fuzzy Hash: 0C11B13120C34DAAC714FF68E8559BEB7A4FF91764F84142DF182D21A2CF218A49C713

Function 008AD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008AD501
Process32FirstW.KERNEL32(00000000,?), ref: 008AD50F
Process32NextW.KERNEL32(00000000,?), ref: 008AD52F
CloseHandle.KERNELBASE(00000000), ref: 008AD5DC

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 76a260c7b427c7267937ecbe52ee25887fc4ba0463079c3c8fe895d259085aad
Instruction ID: e4e7abb3568d7aa549c7d9dd57e9710d8da77d3ed282d0196bf79d1c0ef356b2
Opcode Fuzzy Hash: 76a260c7b427c7267937ecbe52ee25887fc4ba0463079c3c8fe895d259085aad
Instruction Fuzzy Hash: 0F31A1311083059FD304EF58C881AAFBBE8FF99344F10052DF582C65A2EB719945CB93

Function 008ADBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00885222), ref: 008ADBCE
GetFileAttributesW.KERNELBASE(?), ref: 008ADBDD
FindFirstFileW.KERNEL32(?,?), ref: 008ADBEE
FindClose.KERNEL32(00000000), ref: 008ADBFA

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 1eb78eb4f6296182f28fc661181d5a27bd96ee71e9ae86e22ffbdf9de3021645
Instruction ID: e06809cc2f3b53f7c8895c1e6bb7168e2b0a94e5bdff5223a68f4f0ffdae32f8
Opcode Fuzzy Hash: 1eb78eb4f6296182f28fc661181d5a27bd96ee71e9ae86e22ffbdf9de3021645
Instruction Fuzzy Hash: B1F0A030811A255792206B78AC0D8AA376CFF02334B904713F876C2AE0EBB85D54C695

Function 00864CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008728E9,?,00864CBE,008728E9,009088B8,0000000C,00864E15,008728E9,00000002,00000000,?,008728E9), ref: 00864D09
TerminateProcess.KERNEL32(00000000,?,00864CBE,008728E9,009088B8,0000000C,00864E15,008728E9,00000002,00000000,?,008728E9), ref: 00864D10
ExitProcess.KERNEL32 ref: 00864D22

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dcdc955d319ed605402a42fe19ed0224309c82764a4fa4ef0d50ffcfcd78fae9
Instruction ID: 2bf64c78018c4f5918c1875ed2afeff190ddc4807ee0568a6f7109f639bfe131
Opcode Fuzzy Hash: dcdc955d319ed605402a42fe19ed0224309c82764a4fa4ef0d50ffcfcd78fae9
Instruction Fuzzy Hash: 03E0B631401149ABCF11AF54DD09E5C3B69FB41781F119115FC19CB222CB35DD42DA81

Function 008CAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 008CB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008CB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008CB1D4
_wcslen.LIBCMT ref: 008CB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008CB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008CB236
_wcslen.LIBCMT ref: 008CB332

Part of subcall function 008B05A7: GetStdHandle.KERNEL32(000000F6), ref: 008B05C6

_wcslen.LIBCMT ref: 008CB34B
_wcslen.LIBCMT ref: 008CB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008CB3B6
GetLastError.KERNEL32(00000000), ref: 008CB407
CloseHandle.KERNEL32(?), ref: 008CB439
CloseHandle.KERNEL32(00000000), ref: 008CB44A
CloseHandle.KERNEL32(00000000), ref: 008CB45C
CloseHandle.KERNEL32(00000000), ref: 008CB46E
CloseHandle.KERNEL32(?), ref: 008CB4E3

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: b0532609e725a2a83bf7b837f41e94df29d4737de09c46ee0fcd5229ff142034
Instruction ID: d21feaae6e6c40cb67a0a7869df80d8de42828e3240e3d7bb2f079d5d20fbdef
Opcode Fuzzy Hash: b0532609e725a2a83bf7b837f41e94df29d4737de09c46ee0fcd5229ff142034
Instruction Fuzzy Hash: 90F169315086449FC724EF28C892B6EBBE5FF85314F14895DF8999B2A2DB31EC44CB52

Function 0084D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0084D807
timeGetTime.WINMM ref: 0084DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0084DB28
TranslateMessage.USER32(?), ref: 0084DB7B
DispatchMessageW.USER32(?), ref: 0084DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0084DB9F
Sleep.KERNELBASE(0000000A), ref: 0084DBB1

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 7475ea3d84fb4a5384a6dca81b7d64afe046ea6cc9330aa7912f8a8852b5068c
Instruction ID: 44d0507325df2544bcb4c72512a563c1a7dbc993f18a46511cd63c4b2953654a
Opcode Fuzzy Hash: 7475ea3d84fb4a5384a6dca81b7d64afe046ea6cc9330aa7912f8a8852b5068c
Instruction Fuzzy Hash: 3F42C33060834AEFDB29DF28C884BAABBE1FF55314F188659E955C7391D770E844CB92

Function 00842CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00842D07
RegisterClassExW.USER32(00000030), ref: 00842D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00842D42
InitCommonControlsEx.COMCTL32(?), ref: 00842D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00842D6F
LoadIconW.USER32(000000A9), ref: 00842D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00842D94

Strings

TaskbarCreated, xrefs: 00842D37
AutoIt v3 GUI, xrefs: 00842D23
0, xrefs: 00842CE9
+, xrefs: 00842CF0

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 2a0c2536c8f89632150f183001c450e280e4ffae85733940dab8d8c93f73a97b
Instruction ID: c1acbc7b8fed779adf8c77c0e5f27b8200838e1c33d0bf84f6429742c851265c
Opcode Fuzzy Hash: 2a0c2536c8f89632150f183001c450e280e4ffae85733940dab8d8c93f73a97b
Instruction Fuzzy Hash: 5621C3B5A16219AFDB00DFA4E849BDDBBB8FB08701F00821AF621A62A0D7B54544DF91

Function 0088065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0088039A: CreateFileW.KERNELBASE(00000000,00000000,?,00880704,?,?,00000000,?,00880704,00000000,0000000C), ref: 008803B7

GetLastError.KERNEL32 ref: 0088076F
__dosmaperr.LIBCMT ref: 00880776
GetFileType.KERNELBASE(00000000), ref: 00880782
GetLastError.KERNEL32 ref: 0088078C
__dosmaperr.LIBCMT ref: 00880795
CloseHandle.KERNEL32(00000000), ref: 008807B5
CloseHandle.KERNEL32(?), ref: 008808FF
GetLastError.KERNEL32 ref: 00880931
__dosmaperr.LIBCMT ref: 00880938

Strings

H, xrefs: 008808BD

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: d5b01ce277a4b0bdf8532172bd5e3855c160ddc8264c41181b6ea588f2e82aaf
Instruction ID: 3482bba0f647c5a1f936ecfbad42817b1d8bc8d6d26848faa0ca616f5a7e595c
Opcode Fuzzy Hash: d5b01ce277a4b0bdf8532172bd5e3855c160ddc8264c41181b6ea588f2e82aaf
Instruction Fuzzy Hash: 7FA11132A141088FDF19AF68DC52BAE7BA0FB4A324F144159F815DB392DB319C56CF92

Function 0084344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00843A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00911418,?,00842E7F,?,?,?,00000000), ref: 00843A78

Part of subcall function 00843357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00843379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0084356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0088318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008831CE
RegCloseKey.ADVAPI32(?), ref: 00883210
_wcslen.LIBCMT ref: 00883277
_wcslen.LIBCMT ref: 00883286

Strings

Include, xrefs: 00883184, 008831C5
Software\AutoIt v3\AutoIt, xrefs: 00843560
\Include\, xrefs: 00843527
\, xrefs: 0088328C

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 7d2f4bd71466ff2e0b6ec9db8ccf2b8e56c4894403ca36cfddd3dce96bbfa388
Instruction ID: 208673eb99f089041833e60dacc83c61f01287023c70887ecb344ab7c3973132
Opcode Fuzzy Hash: 7d2f4bd71466ff2e0b6ec9db8ccf2b8e56c4894403ca36cfddd3dce96bbfa388
Instruction Fuzzy Hash: ED71D1716183059EC314FF29EC8289BBBE8FF84B40F40452EF564C72A1EB308A59CB52

Function 00842B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00842B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00842B9D
LoadIconW.USER32(00000063), ref: 00842BB3
LoadIconW.USER32(000000A4), ref: 00842BC5
LoadIconW.USER32(000000A2), ref: 00842BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00842BEF
RegisterClassExW.USER32(?), ref: 00842C40

Part of subcall function 00842CD4: GetSysColorBrush.USER32(0000000F), ref: 00842D07
Part of subcall function 00842CD4: RegisterClassExW.USER32(00000030), ref: 00842D31
Part of subcall function 00842CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00842D42
Part of subcall function 00842CD4: InitCommonControlsEx.COMCTL32(?), ref: 00842D5F
Part of subcall function 00842CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00842D6F
Part of subcall function 00842CD4: LoadIconW.USER32(000000A9), ref: 00842D85
Part of subcall function 00842CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00842D94

Strings

AutoIt v3, xrefs: 00842C2F
#, xrefs: 00842C16
0, xrefs: 00842C0F

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 4cc5ae15735fc3ae8b7d4e4786c1881b7ab0d71d7d22172733716b22730d9795
Instruction ID: 5019fc32f38895f06d19d2f28e620a51fa5283fd63e3f3e0328abe9637f83cd0
Opcode Fuzzy Hash: 4cc5ae15735fc3ae8b7d4e4786c1881b7ab0d71d7d22172733716b22730d9795
Instruction Fuzzy Hash: 9B213A70F26318BBDB109FA9ED55ADDBFB4FB08B50F00811AF610A66A4D3B10541EF90

Function 00843170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0084316A,?,?), ref: 008431D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0084316A,?,?), ref: 00843204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00843227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0084316A,?,?), ref: 00843232
CreatePopupMenu.USER32 ref: 00843246
PostQuitMessage.USER32(00000000), ref: 00843267

Strings

TaskbarCreated, xrefs: 0084322D

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: cc9b6aaf4889cae632c0c4014af07331def0dfadb5a1ef5b09df27517e7d55b7
Instruction ID: 11895d357a34a8d7c997fedb80296ac0d452fedd139c3f455855b80f377d024f
Opcode Fuzzy Hash: cc9b6aaf4889cae632c0c4014af07331def0dfadb5a1ef5b09df27517e7d55b7
Instruction Fuzzy Hash: ED41483135422CBBDF252B3CAC4DBB93B59F705305F044226FA12C62A5CBB19B41E762

Function 00841410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00841459
CoUninitialize.COMBASE ref: 008414F8
UnregisterHotKey.USER32(?), ref: 008416DD
DestroyWindow.USER32(?), ref: 008824B9
FreeLibrary.KERNEL32(?), ref: 0088251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0088254B

Strings

close all, xrefs: 00841454

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 834894d77fbb882fbeaf018ab0b1b54c30940606d354668fb44cf830cd22cdf4
Instruction ID: f7bf3d1617f5a1dd4cdb5aec78c8a1ebbe956913cc6e5e4164443baeef191320
Opcode Fuzzy Hash: 834894d77fbb882fbeaf018ab0b1b54c30940606d354668fb44cf830cd22cdf4
Instruction Fuzzy Hash: 00D16731702216CFCB29EF18C899A29F7A0FF05710F1542ADE94AEB252DB30AD56CF55

Function 00842C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00842C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00842CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00841CAD,?), ref: 00842CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00841CAD,?), ref: 00842CCF

Strings

edit, xrefs: 00842CAC
AutoIt v3, xrefs: 00842C89, 00842C8E, 00842C8F

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: d4926f3368c560fb3624083d9edd97a0269cfcbfdb88bdc9d3bdf3f5bdcf3d0a
Instruction ID: e33c2f607f6d81a55c8c63b52818e4731fe6ef6ecf9537b1445fde67244212a0
Opcode Fuzzy Hash: d4926f3368c560fb3624083d9edd97a0269cfcbfdb88bdc9d3bdf3f5bdcf3d0a
Instruction Fuzzy Hash: 18F0DA756542907AEB311717AC08EB76FBDE7C6F50B00825BFA10E26A4C6651852EAB0

Function 008410F3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00841BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00841BF4
Part of subcall function 00841BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00841BFC
Part of subcall function 00841BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00841C07
Part of subcall function 00841BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00841C12
Part of subcall function 00841BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00841C1A
Part of subcall function 00841BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00841C22

Part of subcall function 00841B4A: RegisterWindowMessageW.USER32(00000004,?,008412C4), ref: 00841BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0084136A
OleInitialize.OLE32 ref: 00841388
CloseHandle.KERNEL32(00000000,00000000), ref: 008824AB

Strings

H, xrefs: 00841292

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: H
API String ID: 1986988660-1105002124
Opcode ID: 010ae2e15de4bc3001130da462867c00235a56a20d6760b550bcdc571068a7da
Instruction ID: 9653fce5842b38d71df2e7c8864caffbc3a568cf33099b32ca6fca862b07371a
Opcode Fuzzy Hash: 010ae2e15de4bc3001130da462867c00235a56a20d6760b550bcdc571068a7da
Instruction Fuzzy Hash: 7571BAB4B39309AEC784DF79A8456D53BE6FB88340744C26AE21AC73B1EB304485EF05

Function 00843B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00843B0F,SwapMouseButtons,00000004,?), ref: 00843B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00843B0F,SwapMouseButtons,00000004,?), ref: 00843B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00843B0F,SwapMouseButtons,00000004,?), ref: 00843B83

Strings

Control Panel\Mouse, xrefs: 00843B3E

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a2a0c8f5bc815f58e110434a32da9fe7841975f6ca3798107fe9d5ce9080536e
Instruction ID: bd6f82800b475c6abbe9290e86666ab40cef256974fc573583b5b03378123006
Opcode Fuzzy Hash: a2a0c8f5bc815f58e110434a32da9fe7841975f6ca3798107fe9d5ce9080536e
Instruction Fuzzy Hash: B31127B561160CFFDB218FA5DC84AAEBBB8FF04768B10856AE805D7110E2319E449BA0

Function 00843923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008833A2

Part of subcall function 00846B57: _wcslen.LIBCMT ref: 00846B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00843A04

Strings

Line: , xrefs: 008833EB

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 09cd70645efc79926ca063bd9cfca87360153dd1728300e5a3196e527b399061
Instruction ID: 061ababe8ab74ba59c3689f11aca4134f9dacc5960edc7d1cfd1bf8c9ecb9a8e
Opcode Fuzzy Hash: 09cd70645efc79926ca063bd9cfca87360153dd1728300e5a3196e527b399061
Instruction Fuzzy Hash: F831C171508308AAD725EB24DC45BEBBBE8FF41714F10492AF599C2291EB709A49C7C3

Function 0085FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00860668

Part of subcall function 008632A4: RaiseException.KERNEL32(?,?,?,0086068A,?,00911444,?,?,?,?,?,?,0086068A,00841129,00908738,00841129), ref: 00863304

__CxxThrowException@8.LIBVCRUNTIME ref: 00860685

Strings

Unknown exception, xrefs: 00860692

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: a002fc117aedb7ba0a3f75883594ca6e9f4dd2ed0cade232acf877e14c6bc038
Instruction ID: cf4f9fe38e62f798e56c2e1a7b258d263ebdc754a12041cde8d9a4894f760abb
Opcode Fuzzy Hash: a002fc117aedb7ba0a3f75883594ca6e9f4dd2ed0cade232acf877e14c6bc038
Instruction Fuzzy Hash: F0F0AF2490030DA7CB00BAA8D84AC9F776CFE50314B614531BA14D6692EF71DA698A86

Function 008AC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00843923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00843A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008AC259
KillTimer.USER32(?,00000001,?,?), ref: 008AC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008AC270

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 22abdb37d5026e862268980a3b436b5a70a105f6bb41946b4dbc29ec5045decb
Instruction ID: 70d48ca59165574b4cd0b0ca9cfaa9df64bbacc0874be09f96d7ebf8251c357f
Opcode Fuzzy Hash: 22abdb37d5026e862268980a3b436b5a70a105f6bb41946b4dbc29ec5045decb
Instruction Fuzzy Hash: 1D319370A04348AFFB229F648855BEBBBECFB07308F00549AD6DAE7241C7745A85CB51

Function 008786AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,008785CC,?,00908CC8,0000000C), ref: 00878704
GetLastError.KERNEL32(?,008785CC,?,00908CC8,0000000C), ref: 0087870E
__dosmaperr.LIBCMT ref: 00878739

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 819c7d4a441aacba1f2bb3af6b7f06919fc39905aca574965bc12b49273d2aec
Instruction ID: ac6ff6a943318c412196d424bbcbd78c710618a007545208bcf10167cd8e41f4
Opcode Fuzzy Hash: 819c7d4a441aacba1f2bb3af6b7f06919fc39905aca574965bc12b49273d2aec
Instruction Fuzzy Hash: AD012F32A45520B6D7246238684E77E6746FB92774F35C119F81CCB2EADEE1DC81C151

Function 0084DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0084DB7B
DispatchMessageW.USER32(?), ref: 0084DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0084DB9F
Sleep.KERNELBASE(0000000A), ref: 0084DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00891CC9

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 449734ec219427d056d61d7b8dc51f95464538f1f63a9f7b0304c555baf1b81a
Instruction ID: a1561d6a92f5283911ceb2b80036924cfb21d0e19531eb20bf2d09fb838b2b81
Opcode Fuzzy Hash: 449734ec219427d056d61d7b8dc51f95464538f1f63a9f7b0304c555baf1b81a
Instruction Fuzzy Hash: C6F0FE306593459BEB34DBA49C49FEA73B8FB45315F108A59E65AC30D0DB309488DB15

Function 00851310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008517F6

Strings

CALL, xrefs: 008517C6

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: ac4017d57ee2793f77f02d5b2ac1feea43e6f1246ea64e3d6037f1a3cd200ce8
Instruction ID: 01a766c27fc66eb77d646f32f7aad56a7b1cac6bf13f38e6ad97680781b5f784
Opcode Fuzzy Hash: ac4017d57ee2793f77f02d5b2ac1feea43e6f1246ea64e3d6037f1a3cd200ce8
Instruction Fuzzy Hash: 092269706082059FCB14DF18C484B2ABBE1FF85315F18896DF896CB362E771E959CB82

Function 00842DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00882C8C

Part of subcall function 00843AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00843A97,?,?,00842E7F,?,?,?,00000000), ref: 00843AC2

Part of subcall function 00842DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00842DC4

Strings

X, xrefs: 00882C5A

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 1eb2f52621c8b0d45cbadec2a692e919ded62a681c79fb05451a87833e4aacdc
Instruction ID: 3ef001a8ef036b32127f3b34701d204cdbfd9d78f0184fae1e89d777660277a6
Opcode Fuzzy Hash: 1eb2f52621c8b0d45cbadec2a692e919ded62a681c79fb05451a87833e4aacdc
Instruction Fuzzy Hash: E3218E71A0025C9ECB01EF98C845BEE7BF9FF49314F00805AE505E7281DBB45A89CFA2

Function 00843837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00843908

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 9feb41b9b7decd26a03fac22e7649094417ccab3a59700752962b21c43134edb
Instruction ID: 259f9d3537dab1f87ea619a7b6c9b0b01d1c17e3b979515b623a75241ab100e2
Opcode Fuzzy Hash: 9feb41b9b7decd26a03fac22e7649094417ccab3a59700752962b21c43134edb
Instruction Fuzzy Hash: 98318FB06057059FD720DF24D885797BBE8FB49708F00092EF6AAC3250E771AA44CB52

Function 0085F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0085F661

Part of subcall function 0084D730: GetInputState.USER32 ref: 0084D807

Sleep.KERNEL32(00000000), ref: 0089F2DE

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 90e050000788a41e690fddb6e88a9739b37c935939dd794fada3fb1f382f945e
Instruction ID: 4e577bb8a10625a39ccc2778321847b9baa9f47a19bfaf9631f8472feb78592f
Opcode Fuzzy Hash: 90e050000788a41e690fddb6e88a9739b37c935939dd794fada3fb1f382f945e
Instruction Fuzzy Hash: 09F08C31240209AFD314EF69D549B6AB7E8FF45761F00012AE85DC72A1DB70A800CB91

Function 00844ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00844E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00844EDD,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844E9C
Part of subcall function 00844E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00844EAE
Part of subcall function 00844E90: FreeLibrary.KERNEL32(00000000,?,?,00844EDD,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844EFD

Part of subcall function 00844E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00883CDE,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844E62
Part of subcall function 00844E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00844E74
Part of subcall function 00844E59: FreeLibrary.KERNEL32(00000000,?,?,00883CDE,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844E87

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 656ced756a559c0d3b8b38ad9d9ceb3db0b8ddfe229d86e41cfc8c18e9aa89ae
Instruction ID: 7aa91f4b65754fee463622fb2945fa7eb07cc7a39d6b2a14e9b287399e1389b5
Opcode Fuzzy Hash: 656ced756a559c0d3b8b38ad9d9ceb3db0b8ddfe229d86e41cfc8c18e9aa89ae
Instruction Fuzzy Hash: F611E332600209ABCB14BB68DC02FAD77A5FF40B10F10842EF542E61C1EE749A099751

Function 00878402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00878440

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: e5e2b33e9001028d8c543f58f1fc03c8a87c0284bf37b7384655b06a1ac6965a
Instruction ID: be6f79433ae386cd46c47f675298ebcf5f94046d3b4ffa6c6bba998ee129ec3c
Opcode Fuzzy Hash: e5e2b33e9001028d8c543f58f1fc03c8a87c0284bf37b7384655b06a1ac6965a
Instruction Fuzzy Hash: E811187590410AEFCF15DF58E94599A7BF9FF48314F108059F808EB312DA71DA11CBA9

Function 0086E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: aacc67fe8dbfa94172638d00947a1a4a451a3a4553b7477ca38400d2fd051ad8
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: EDF0F436910A14AAC6323E6DDC09F5A3798FF72334F164715F529D22D2CB70D802C6A7

Function 00873820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00911444,?,0085FDF5,?,?,0084A976,00000010,00911440,008413FC,?,008413C6,?,00841129), ref: 00873852

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f5ccc004e65c56b112c9c683d0ff2c23613a19b75b00fc464ac3da8ebfa8521c
Instruction ID: 622cf25930b6cedf9106fd0bfb14083be981d345c125a95938ab53eb7f9b2cef
Opcode Fuzzy Hash: f5ccc004e65c56b112c9c683d0ff2c23613a19b75b00fc464ac3da8ebfa8521c
Instruction Fuzzy Hash: E2E0E531101225A7D7212A6A9C00F9E3748FB427B0F068132FD1CD2699CB71DE01A2E3

Function 00844F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844F6D

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 79f2c4418ddf213686da6c99722f4298eb3b110aef82c6148aea6b1e31e1f5a7
Instruction ID: 6a325857c8219a4b436836543dd74774c2db7d7f672b5e30c0ee26d42388a1d5
Opcode Fuzzy Hash: 79f2c4418ddf213686da6c99722f4298eb3b110aef82c6148aea6b1e31e1f5a7
Instruction Fuzzy Hash: 19F0397110575ACFDB349F64D490A22FBE4FF143293209A7EE2EAC2622CB319848DF10

Function 008D2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 008D2A66

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 02a6b12cb7c0b2e470c2f28d485659a5be203cd642395dbe8fae932c80097e10
Instruction ID: 9cf6d67745c2694a93b54f338149b3e9a8a6310fe5dcee9ebd0a4518f0741e25
Opcode Fuzzy Hash: 02a6b12cb7c0b2e470c2f28d485659a5be203cd642395dbe8fae932c80097e10
Instruction Fuzzy Hash: D9E04F3635012AAADB14EA34EC809FAB75CFBA5395710463BFC16C6240EB30D99586A0

Function 008430F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0084314E

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: cb899cdf875cc739b2b04d4512f86a2f582a31ab71913761302779d3df2a8673
Instruction ID: f1f01f8b42f51b5d5a02fe9db5dfaa6b8c993b18f925551fca9589efa3dacbfc
Opcode Fuzzy Hash: cb899cdf875cc739b2b04d4512f86a2f582a31ab71913761302779d3df2a8673
Instruction Fuzzy Hash: 63F0A770A14318AFE7529B24DC457D57BBCB701708F0001E5A248D6295D7704789CF41

Function 00842DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00842DC4

Part of subcall function 00846B57: _wcslen.LIBCMT ref: 00846B6A

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 3a0392d45b89aef833bfb38949cdaa9cc2fb701af22d91a469592277956ac5e6
Instruction ID: 66141e0fe520b8e348e125c63c0c28d0dd9fabb20b678a5290a336cfc3654575
Opcode Fuzzy Hash: 3a0392d45b89aef833bfb38949cdaa9cc2fb701af22d91a469592277956ac5e6
Instruction Fuzzy Hash: 47E0CD726001245BCB10A25C9C05FDA77DDFFC8790F040171FD09D7248DE60AD80C651

Function 00842B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00843837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00843908

Part of subcall function 0084D730: GetInputState.USER32 ref: 0084D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00842B6B

Part of subcall function 008430F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0084314E

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: d4d3f03c55286ab08a2aab2e42c41c6f99e75c866d11eb561cdbd40ebcde7ecb
Instruction ID: 7ab5ceb18098d53a3d5ca7cb6a32ca1d027346bfe8f7c9ad14fe12679eba5d32
Opcode Fuzzy Hash: d4d3f03c55286ab08a2aab2e42c41c6f99e75c866d11eb561cdbd40ebcde7ecb
Instruction Fuzzy Hash: FBE0862170424C17CA18BB7C98525BDF759FBD5765F40163EF142C31B3CE6545858253

Function 0088039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00880704,?,?,00000000,?,00880704,00000000,0000000C), ref: 008803B7

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5a7f003ed6c7a992d4b873ddc48e8e31eedfd892b54ddb0b380cb9c2628bad20
Instruction ID: 16252e6986986a197a5da8ee5ee23a78772108ac7d09e2a85c3c570725475c86
Opcode Fuzzy Hash: 5a7f003ed6c7a992d4b873ddc48e8e31eedfd892b54ddb0b380cb9c2628bad20
Instruction Fuzzy Hash: E7D06C3204010DBBDF028F84DD06EDA3BAAFB48714F014100FE1856020C732E821EB90

Function 00841CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00841CBC

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: acdd908676f3e4aa43ee9a106a80f5b4e207ffbe05312586337a0f2989bc7750
Instruction ID: 572ee9c3eeb6647ef6a1e217a9c6d0712e406878e646f0d37eef475fdefe08a1
Opcode Fuzzy Hash: acdd908676f3e4aa43ee9a106a80f5b4e207ffbe05312586337a0f2989bc7750
Instruction Fuzzy Hash: CEC09236398305AFF7149B80BC8AF907B65F348B00F04C202F709A95E3C7B22820FA50

Non-executed Functions

Function 008D9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 008D961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008D965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 008D969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008D96C9
SendMessageW.USER32 ref: 008D96F2
GetKeyState.USER32(00000011), ref: 008D978B
GetKeyState.USER32(00000009), ref: 008D9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008D97AE
GetKeyState.USER32(00000010), ref: 008D97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008D97E9
SendMessageW.USER32 ref: 008D9810
SendMessageW.USER32(?,00001030,?,008D7E95), ref: 008D9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 008D992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 008D9941
SetCapture.USER32(?), ref: 008D994A
ClientToScreen.USER32(?,?), ref: 008D99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008D99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008D99D6
ReleaseCapture.USER32 ref: 008D99E1
GetCursorPos.USER32(?), ref: 008D9A19
ScreenToClient.USER32(?,?), ref: 008D9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 008D9A80
SendMessageW.USER32 ref: 008D9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 008D9AEB
SendMessageW.USER32 ref: 008D9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 008D9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 008D9B4A
GetCursorPos.USER32(?), ref: 008D9B68
ScreenToClient.USER32(?,?), ref: 008D9B75
GetParent.USER32(?), ref: 008D9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 008D9BFA
SendMessageW.USER32 ref: 008D9C2B
ClientToScreen.USER32(?,?), ref: 008D9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 008D9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 008D9CDE
SendMessageW.USER32 ref: 008D9D01
ClientToScreen.USER32(?,?), ref: 008D9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 008D9D82

Part of subcall function 00859944: GetWindowLongW.USER32(?,000000EB), ref: 00859952

GetWindowLongW.USER32(?,000000F0), ref: 008D9E05

Strings

@GUI_DRAGID, xrefs: 008D997D
F, xrefs: 008D9D07

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 32958e742ddd3fa18d87ae1df918cd80b94b84f11334a4c4b2e54767571d4f92
Instruction ID: 2ff53417ccf3a131e12a093b8b48769510c2cb1753bcec06e24a4dda958b177f
Opcode Fuzzy Hash: 32958e742ddd3fa18d87ae1df918cd80b94b84f11334a4c4b2e54767571d4f92
Instruction Fuzzy Hash: 97427934205201AFDB24CF68DC44AAABBE5FF58324F14471AF699D73A1E731E850DB52

Function 008D4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008D48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 008D4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 008D4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 008D494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 008D495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 008D497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008D49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008D49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 008D4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 008D4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 008D4A7E
IsMenu.USER32(?), ref: 008D4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008D4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008D4B20
GetWindowLongW.USER32(?,000000F0), ref: 008D4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 008D4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 008D4C82
wsprintfW.USER32 ref: 008D4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008D4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 008D4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008D4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008D4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 008D4D5A

Strings

%d/%02d/%02d, xrefs: 008D4CA8

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 84f3a6f17f747358a224b9b8bb77db03ea4ceef6eccc1fb3525f1870a8c0238c
Instruction ID: 3ff3969f708cbf9ec2e71ceb962fcabbc2bc08e9d0db751067ee4e8faa6cf884
Opcode Fuzzy Hash: 84f3a6f17f747358a224b9b8bb77db03ea4ceef6eccc1fb3525f1870a8c0238c
Instruction Fuzzy Hash: E012ED71600219ABEB248F28DC49FAE7BF8FF45714F10522AF916EB2E1DB749941CB50

Function 0085F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0085F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0089F474
IsIconic.USER32(00000000), ref: 0089F47D
ShowWindow.USER32(00000000,00000009), ref: 0089F48A
SetForegroundWindow.USER32(00000000), ref: 0089F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0089F4AA
GetCurrentThreadId.KERNEL32 ref: 0089F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0089F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0089F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0089F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0089F4DE
SetForegroundWindow.USER32(00000000), ref: 0089F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0089F4F6
keybd_event.USER32(00000012,00000000), ref: 0089F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0089F50B
keybd_event.USER32(00000012,00000000), ref: 0089F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0089F519
keybd_event.USER32(00000012,00000000), ref: 0089F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0089F528
keybd_event.USER32(00000012,00000000), ref: 0089F52D
SetForegroundWindow.USER32(00000000), ref: 0089F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0089F557

Strings

Shell_TrayWnd, xrefs: 0089F46F

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: b37660af08588ee87a88f96dcc4a38769e994046521135cb760a9c772f9dba67
Instruction ID: 952edf362e957c415091ebf3ae05cc8ba4ee78952d974b57bc9df44c3d8f7db4
Opcode Fuzzy Hash: b37660af08588ee87a88f96dcc4a38769e994046521135cb760a9c772f9dba67
Instruction Fuzzy Hash: 14315E71A41219BAEF206BB55C4AFBF7F6CFB44B50F15016AFA01E61D1C6B09900EA60

Function 008A1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008A170D
Part of subcall function 008A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008A173A
Part of subcall function 008A16C3: GetLastError.KERNEL32 ref: 008A174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 008A1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008A12A8
CloseHandle.KERNEL32(?), ref: 008A12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008A12D1
GetProcessWindowStation.USER32 ref: 008A12EA
SetProcessWindowStation.USER32(00000000), ref: 008A12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 008A1310

Part of subcall function 008A10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008A11FC), ref: 008A10D4
Part of subcall function 008A10BF: CloseHandle.KERNEL32(?,?,008A11FC), ref: 008A10E9

Strings

, xrefs: 008A125A
default, xrefs: 008A130B
winsta0, xrefs: 008A12CC

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: b371afe1446ae33d1efea2b5d8d7861b8fcb7a8e6023b204afc6981e94e3e6a8
Instruction ID: 0b971374a9a706fd4da53f1d9ce73a846e322c61941cdae275d55ed55eaff1ca
Opcode Fuzzy Hash: b371afe1446ae33d1efea2b5d8d7861b8fcb7a8e6023b204afc6981e94e3e6a8
Instruction Fuzzy Hash: FC81A071901209AFEF219FA8DC49FEE7BBAFF09704F14422AF911E65A0D7358944CB25

Function 008A0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008A1114
Part of subcall function 008A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,008A0B9B,?,?,?), ref: 008A1120
Part of subcall function 008A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008A0B9B,?,?,?), ref: 008A112F
Part of subcall function 008A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008A0B9B,?,?,?), ref: 008A1136
Part of subcall function 008A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008A0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008A0C00
GetLengthSid.ADVAPI32(?), ref: 008A0C17
GetAce.ADVAPI32(?,00000000,?), ref: 008A0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008A0C6D
GetLengthSid.ADVAPI32(?), ref: 008A0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 008A0C8C
HeapAlloc.KERNEL32(00000000), ref: 008A0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008A0CB4
CopySid.ADVAPI32(00000000), ref: 008A0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008A0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008A0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008A0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008A0D45
HeapFree.KERNEL32(00000000), ref: 008A0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008A0D55
HeapFree.KERNEL32(00000000), ref: 008A0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008A0D65
HeapFree.KERNEL32(00000000), ref: 008A0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 008A0D78
HeapFree.KERNEL32(00000000), ref: 008A0D7F

Part of subcall function 008A1193: GetProcessHeap.KERNEL32(00000008,008A0BB1,?,00000000,?,008A0BB1,?), ref: 008A11A1
Part of subcall function 008A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,008A0BB1,?), ref: 008A11A8
Part of subcall function 008A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,008A0BB1,?), ref: 008A11B7

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ceac35541474ced1f223f4325d840b7365cf2c5807ffd4f21ed4d4d53a7cbe9f
Instruction ID: 8a823785e81e775115e30a413895c6ecca2897ec4ee1aad85c0f5a948b54324e
Opcode Fuzzy Hash: ceac35541474ced1f223f4325d840b7365cf2c5807ffd4f21ed4d4d53a7cbe9f
Instruction Fuzzy Hash: 31716A7290121AABEF10DFA4DC48BAEBBB8FF05310F044619E914E7291D775A905CFA1

Function 008BEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(008DCC08), ref: 008BEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 008BEB37
GetClipboardData.USER32(0000000D), ref: 008BEB43
CloseClipboard.USER32 ref: 008BEB4F
GlobalLock.KERNEL32(00000000), ref: 008BEB87
CloseClipboard.USER32 ref: 008BEB91
GlobalUnlock.KERNEL32(00000000), ref: 008BEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 008BEBC9
GetClipboardData.USER32(00000001), ref: 008BEBD1
GlobalLock.KERNEL32(00000000), ref: 008BEBE2
GlobalUnlock.KERNEL32(00000000), ref: 008BEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 008BEC38
GetClipboardData.USER32(0000000F), ref: 008BEC44
GlobalLock.KERNEL32(00000000), ref: 008BEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 008BEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 008BEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 008BECD2
GlobalUnlock.KERNEL32(00000000), ref: 008BECF3
CountClipboardFormats.USER32 ref: 008BED14
CloseClipboard.USER32 ref: 008BED59

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: adbd80190985a991c04a43adce76b0c8c8fbcac427119698be3cfb413603bb92
Instruction ID: f1c12ec9f89ca37300b5916f59c60e816da41afcf27c97ba3066fdf342159599
Opcode Fuzzy Hash: adbd80190985a991c04a43adce76b0c8c8fbcac427119698be3cfb413603bb92
Instruction Fuzzy Hash: BB61AD35205206AFD310EF28D888FAA7BA8FF84714F18461EF456D73A2DB71D905CB62

Function 008B698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008B69BE
FindClose.KERNEL32(00000000), ref: 008B6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008B6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008B6A75

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 008B6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 008B6ADF

Strings

%03d, xrefs: 008B6DA2
%02d, xrefs: 008B6C00, 008B6C0A, 008B6C5A, 008B6CAA, 008B6CFA, 008B6D4A
%4d, xrefs: 008B6BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 008B6B32
%4d%02d%02d%02d%02d%02d, xrefs: 008B6B6A

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 3e3db398fdc53022a7f4a1c5a446653983bb4c5bf7efdb1d60efcff2e017195a
Instruction ID: eb26c888aafefbd83700e0ae6b5e7d2a77c2cb57bb514ec77b870c2e23dd9e05
Opcode Fuzzy Hash: 3e3db398fdc53022a7f4a1c5a446653983bb4c5bf7efdb1d60efcff2e017195a
Instruction Fuzzy Hash: D4D12E72508304AEC714EBA8C881EAFB7ECFF98704F444919F585D6291EB74DA48CB63

Function 008B9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 008B9663
GetFileAttributesW.KERNEL32(?), ref: 008B96A1
SetFileAttributesW.KERNEL32(?,?), ref: 008B96BB
FindNextFileW.KERNEL32(00000000,?), ref: 008B96D3
FindClose.KERNEL32(00000000), ref: 008B96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008B96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 008B974A
SetCurrentDirectoryW.KERNEL32(00906B7C), ref: 008B9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 008B9772
FindClose.KERNEL32(00000000), ref: 008B977F
FindClose.KERNEL32(00000000), ref: 008B978F

Strings

*.*, xrefs: 008B96F5

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 7f6dd35e5dc12a81c58ebd765b089eea6551e92511fd3be2846d07e62039f44b
Instruction ID: ea21b418d9bb072c24ae2a92e008733b1f7ea389596a98626b85a24dce25f6ad
Opcode Fuzzy Hash: 7f6dd35e5dc12a81c58ebd765b089eea6551e92511fd3be2846d07e62039f44b
Instruction Fuzzy Hash: 2231B07254121A6EDB14AFB4DC48ADE77ACFF49320F104256EA55E22A0EB34D984CA54

Function 008B979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 008B97BE
FindNextFileW.KERNEL32(00000000,?), ref: 008B9819
FindClose.KERNEL32(00000000), ref: 008B9824
FindFirstFileW.KERNEL32(*.*,?), ref: 008B9840
SetCurrentDirectoryW.KERNEL32(?), ref: 008B9890
SetCurrentDirectoryW.KERNEL32(00906B7C), ref: 008B98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008B98B8
FindClose.KERNEL32(00000000), ref: 008B98C5
FindClose.KERNEL32(00000000), ref: 008B98D5

Part of subcall function 008ADAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008ADB00

Strings

*.*, xrefs: 008B983B

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 9eb1f24805b9183125d0fbe680e961f5839d1d910d99636fc75d5a9163cf164e
Instruction ID: a1fb49ddb5f96d1d27e17b3068d46a9184f2b5abafca81370a9a3685e214c485
Opcode Fuzzy Hash: 9eb1f24805b9183125d0fbe680e961f5839d1d910d99636fc75d5a9163cf164e
Instruction Fuzzy Hash: 0231D47150161A6EDF10EFB8DC48ADE77BCFF46324F104266EA94E22E0DB31D984CA64

Function 008CBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008CB6AE,?,?), ref: 008CC9B5
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CC9F1
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CCA68
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008CBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 008CBFA9
RegCloseKey.ADVAPI32(00000000), ref: 008CBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 008CC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 008CC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 008CC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 008CC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 008CC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 008CC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 008CC382
RegCloseKey.ADVAPI32(00000000), ref: 008CC38F

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 2374c8ef8aef07821cb99e108f2d7c35c21fe028765598ab1efa1475c73389fa
Instruction ID: ef80575d23d3093efbff328869791a7a1ed4ea325667fbf3e1cb534fd7f476bf
Opcode Fuzzy Hash: 2374c8ef8aef07821cb99e108f2d7c35c21fe028765598ab1efa1475c73389fa
Instruction Fuzzy Hash: 1F0228716042449FD714CF28C895E2ABBF5FF89318F18849DE84ACB2A2DB31EC45CB52

Function 008B8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 008B8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 008B8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008B8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008B8310
SetCurrentDirectoryW.KERNEL32(?), ref: 008B8324
SetCurrentDirectoryW.KERNEL32(?), ref: 008B8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008B838C
SetCurrentDirectoryW.KERNEL32(?), ref: 008B8395

Strings

*.*, xrefs: 008B839B

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: ab8d0d4f57d7f4dabb6629f4ab1605b3f7add051105b171adc1cdc865085a862
Instruction ID: dd6710e6f6fdf73ab742d3b482c86c45ead620031b6a5c177d2883458af9b6d2
Opcode Fuzzy Hash: ab8d0d4f57d7f4dabb6629f4ab1605b3f7add051105b171adc1cdc865085a862
Instruction Fuzzy Hash: A06147725083499FCB10EF68C8449AEB3ECFF89314F04891AF999C7251EB31E945CB92

Function 008AD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00843AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00843A97,?,?,00842E7F,?,?,?,00000000), ref: 00843AC2

Part of subcall function 008AE199: GetFileAttributesW.KERNEL32(?,008ACF95), ref: 008AE19A

FindFirstFileW.KERNEL32(?,?), ref: 008AD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 008AD1DD
MoveFileW.KERNEL32(?,?), ref: 008AD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 008AD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 008AD237

Part of subcall function 008AD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,008AD21C,?,?), ref: 008AD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 008AD253
FindClose.KERNEL32(00000000), ref: 008AD264

Strings

\*.*, xrefs: 008AD0CD, 008AD0D6, 008AD0EB

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: e484991ec7c1397a3853a09173fbe953667018340adf758997b7aac58151467a
Instruction ID: fbae935ad2db41fc9e2f7eda72d56cdd0271cdb6d849381be305d25899db6896
Opcode Fuzzy Hash: e484991ec7c1397a3853a09173fbe953667018340adf758997b7aac58151467a
Instruction Fuzzy Hash: 09615D3184120D9ADF15EBA8D992AEEBB75FF56300F204165E442F7592EB306F09CB62

Function 008BED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 008BED91
EmptyClipboard.USER32 ref: 008BED97
GlobalAlloc.KERNEL32(00000002,?), ref: 008BEDAC
CloseClipboard.USER32 ref: 008BEEA3

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 5d6c22e99d30f4ce80c6ad3ad3747b73f7e45de6cb31d1173a6f901af5527119
Instruction ID: 1a3e4a9cde250753f3268e60bbc67f8b636223512811d12e0447ee66132eb192
Opcode Fuzzy Hash: 5d6c22e99d30f4ce80c6ad3ad3747b73f7e45de6cb31d1173a6f901af5527119
Instruction Fuzzy Hash: 48419C35205612AFE720DF19E888B99BBE5FF44318F14C19AE429CB762C775EC42CB90

Function 008AE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008A170D
Part of subcall function 008A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008A173A
Part of subcall function 008A16C3: GetLastError.KERNEL32 ref: 008A174A

ExitWindowsEx.USER32(?,00000000), ref: 008AE932

Strings

, xrefs: 008AE920
, xrefs: 008AE95C
SeShutdownPrivilege, xrefs: 008AE902
@, xrefs: 008AE925

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 0bb634dfc10d5a2b7c86ba1af838e6f94fec9c8476b17a5b37a2773f1b66d7df
Instruction ID: c428b5fb9b9d4de423fe994d2e420233a10b8c73b96dbf20d474b166e91451c4
Opcode Fuzzy Hash: 0bb634dfc10d5a2b7c86ba1af838e6f94fec9c8476b17a5b37a2773f1b66d7df
Instruction Fuzzy Hash: EB012632610315ABFB1426B89C8ABBB77ACFB16754F180D22F812E25D1D6A05C4081A0

Function 008C1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 008C1276
WSAGetLastError.WSOCK32 ref: 008C1283
bind.WSOCK32(00000000,?,00000010), ref: 008C12BA
WSAGetLastError.WSOCK32 ref: 008C12C5
closesocket.WSOCK32(00000000), ref: 008C12F4
listen.WSOCK32(00000000,00000005), ref: 008C1303
WSAGetLastError.WSOCK32 ref: 008C130D
closesocket.WSOCK32(00000000), ref: 008C133C

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 300a8f67913cb1120637328d3a535479387840e2ee7f09293ec041bcca44d8b1
Instruction ID: 15bbc6069aae1b8326a985f84d67b197239622c2a513039a1a209b0430b6316b
Opcode Fuzzy Hash: 300a8f67913cb1120637328d3a535479387840e2ee7f09293ec041bcca44d8b1
Instruction Fuzzy Hash: 41415A35A001419FDB10DF28C488F29BBF5FB46318F18819DE8568B297C771EC81CBA1

Function 008AD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00843AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00843A97,?,?,00842E7F,?,?,?,00000000), ref: 00843AC2

Part of subcall function 008AE199: GetFileAttributesW.KERNEL32(?,008ACF95), ref: 008AE19A

FindFirstFileW.KERNEL32(?,?), ref: 008AD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 008AD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 008AD481
FindClose.KERNEL32(00000000), ref: 008AD498
FindClose.KERNEL32(00000000), ref: 008AD4A1

Strings

\*.*, xrefs: 008AD3F2

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 9b49717b1db63b525215524ea6353eaff94976259d461cee42c940e11c4f2d63
Instruction ID: 82fdfead8ead7a10110ea083bf7cf762680508e6db4adbc8db3c8a718c143789
Opcode Fuzzy Hash: 9b49717b1db63b525215524ea6353eaff94976259d461cee42c940e11c4f2d63
Instruction Fuzzy Hash: 633182710093499FD304EF68D8558AFBBA8FE96304F444A1EF4D2D3591EB30AA09C767

Function 0087E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0087E645

Strings

1#INF, xrefs: 0087F852
1#SNAN, xrefs: 0087F844
1#IND, xrefs: 0087F83D
1#QNAN, xrefs: 0087F84B

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 4952dc6ebacc5d2e18e620d93af4f6a1cee4ddcb1475f0af80a324a4e704e324
Instruction ID: 7ea4bef2345aad388a70856368a4d29b4ec05bd87566d88effd960c5f9f15392
Opcode Fuzzy Hash: 4952dc6ebacc5d2e18e620d93af4f6a1cee4ddcb1475f0af80a324a4e704e324
Instruction Fuzzy Hash: 07C24972E086288FDB25CE28DD407EAB7B5FB49304F1481EAD94DE7245E774AE818F41

Function 008B648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008B64DC
CoInitialize.OLE32(00000000), ref: 008B6639
CoCreateInstance.OLE32(008DFCF8,00000000,00000001,008DFB68,?), ref: 008B6650
CoUninitialize.OLE32 ref: 008B68D4

Strings

.lnk, xrefs: 008B64BA, 008B6524, 008B65E0

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: fbb1a69ebed7023847216e6a72a9c9f0af4c5a47aba8237b75dbeaac72079cf5
Instruction ID: 8c054fca404c4648dc9a0ca7fc3581f7d7ccdfbfaa5a384c2bedaceba25f1204
Opcode Fuzzy Hash: fbb1a69ebed7023847216e6a72a9c9f0af4c5a47aba8237b75dbeaac72079cf5
Instruction Fuzzy Hash: 19D12671508205AFC314EF28C8819ABB7E9FF99704F00496DF595CB2A1EB71E919CB92

Function 008C22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008C22E8

Part of subcall function 008BE4EC: GetWindowRect.USER32(?,?), ref: 008BE504

GetDesktopWindow.USER32 ref: 008C2312
GetWindowRect.USER32(00000000), ref: 008C2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 008C2355
GetCursorPos.USER32(?), ref: 008C2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008C23DF

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: ca6d267e2aa7ab985d1fc13eec1a0bec22d44b1044cc1f8399a553ed66f97309
Instruction ID: 948cbee25bdb99ee49ad75153cc1bfb617929246538d49ead82b759dae729d08
Opcode Fuzzy Hash: ca6d267e2aa7ab985d1fc13eec1a0bec22d44b1044cc1f8399a553ed66f97309
Instruction Fuzzy Hash: C631DE72105346ABD720DF28D844F9BBBA9FB84714F000A1EF884D7291DA34E908CB92

Function 008B9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 008B9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 008B9C8B

Part of subcall function 008B3874: GetInputState.USER32 ref: 008B38CB
Part of subcall function 008B3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008B3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 008B9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 008B9C75

Strings

*.*, xrefs: 008B9B5D

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 677ce8ed6ee7e3b05d7d4f5ba39d7a71a5bd091e7336a6a0e884f0d4748563a6
Instruction ID: d19bd78709f5b126ca66dd5cd9dbcc4ef44fef75c964dc0af4abadeaa9b4d36f
Opcode Fuzzy Hash: 677ce8ed6ee7e3b05d7d4f5ba39d7a71a5bd091e7336a6a0e884f0d4748563a6
Instruction Fuzzy Hash: EE41517194420A9FDF14DFA8C899AEE7BB4FF05310F244156E545E3291EB309E84CF61

Function 0085997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00859A4E
GetSysColor.USER32(0000000F), ref: 00859B23
SetBkColor.GDI32(?,00000000), ref: 00859B36

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 54140aadcc18c8164dd3f13be8aec5e3373a8303f64df33ca7eeae49b5aaf54f
Instruction ID: f63db45f76c53cbb521acbc2d96e4e13766b2f6dde01671038089a3df5fcb15e
Opcode Fuzzy Hash: 54140aadcc18c8164dd3f13be8aec5e3373a8303f64df33ca7eeae49b5aaf54f
Instruction Fuzzy Hash: 19A19270218568FEEB2ABA3C9C48D7F375DFB42316F18420AF982C66D1CA219D05D273

Function 008C1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 008C307A
Part of subcall function 008C304E: _wcslen.LIBCMT ref: 008C309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 008C185D
WSAGetLastError.WSOCK32 ref: 008C1884
bind.WSOCK32(00000000,?,00000010), ref: 008C18DB
WSAGetLastError.WSOCK32 ref: 008C18E6
closesocket.WSOCK32(00000000), ref: 008C1915

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: e499011a0111061dc9eb5c0bd01504df092d7431b068812dc569c828f6d8eea5
Instruction ID: 85d13caa97968965ea5e1b8ce417f71415d3b5666731cf28b5f5befaa8cdccad
Opcode Fuzzy Hash: e499011a0111061dc9eb5c0bd01504df092d7431b068812dc569c828f6d8eea5
Instruction Fuzzy Hash: 03519371A002146FDB10AF28C886F2AB7A5FB45718F14859CF9059F393D775ED41CBA2

Function 008D1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 008D1CC0
IsWindowEnabled.USER32 ref: 008D1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 008D1CDB
IsIconic.USER32 ref: 008D1CE9
IsZoomed.USER32 ref: 008D1CF7

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 7b2ea622d6e483732af2d7d6412642021768dacf2d820a3afe25e7ced3ea1b2c
Instruction ID: 4336b161140eccc1f52ffdcfbf1d0a53b3c7b599da3a1b21838689195e73d1b3
Opcode Fuzzy Hash: 7b2ea622d6e483732af2d7d6412642021768dacf2d820a3afe25e7ced3ea1b2c
Instruction Fuzzy Hash: 6021E531751211AFDB208F1AD848B2A7BE5FF95325F18825EE846CB351DB71EC42CB90

Function 00848060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00885DF0
ERCP, xrefs: 0084813C
VUUU, xrefs: 008483FA
VUUU, xrefs: 0084843C
VUUU, xrefs: 008483E8

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 1d514eef76137e864bd0364d494a865eacaa46314c1b0367fc35422e0219be6a
Instruction ID: 115821f3330825c5969da8695a2e3c3ad79970337149da1d29e5e95860250ece
Opcode Fuzzy Hash: 1d514eef76137e864bd0364d494a865eacaa46314c1b0367fc35422e0219be6a
Instruction Fuzzy Hash: 1EA26A70A0061ECBDF24DF58C8447AEB7B2FB54314F2581AAE815EB285EB749D91CF90

Function 008AAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 008AAAAC
SetKeyboardState.USER32(00000080), ref: 008AAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 008AAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 008AAB88

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a426da45e4d732ca8544d1d91040e1493eb81e98a4aac67b352c8c6f4c7aaf0b
Instruction ID: fb2689f69b37c4a25b4e8a5f996d41effe26c9e281ce93b792c71350beb4b3b9
Opcode Fuzzy Hash: a426da45e4d732ca8544d1d91040e1493eb81e98a4aac67b352c8c6f4c7aaf0b
Instruction Fuzzy Hash: A7310530A40208AEFB398A68CC05BFA7BA6FB46330F04421AE181D6DD1D3758982C772

Function 0087BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0087BB7F

Part of subcall function 008729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000), ref: 008729DE
Part of subcall function 008729C8: GetLastError.KERNEL32(00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000,00000000), ref: 008729F0

GetTimeZoneInformation.KERNEL32 ref: 0087BB91
WideCharToMultiByte.KERNEL32(00000000,?,0091121C,000000FF,?,0000003F,?,?), ref: 0087BC09
WideCharToMultiByte.KERNEL32(00000000,?,00911270,000000FF,?,0000003F,?,?,?,0091121C,000000FF,?,0000003F,?,?), ref: 0087BC36

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 79b5458a60d9018e4be45aa7349686c74cd439224e88fb558cce773d3552bc72
Instruction ID: 3d0737673bfecd3432f0d857b97a07705253b15320eb347f62c113e6d7949dbf
Opcode Fuzzy Hash: 79b5458a60d9018e4be45aa7349686c74cd439224e88fb558cce773d3552bc72
Instruction Fuzzy Hash: 2231F270A08205EFCB15DF69CC80AA9BBB9FF85320B14C66AE129D72B5C730DD40DB50

Function 008BCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 008BCE89
GetLastError.KERNEL32(?,00000000), ref: 008BCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 008BCEFE

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: ba98114bf3b0a030ea4b41d26c7b3bbd226440fe146fe5190cf03aab2457c5f6
Instruction ID: 83aaa5954c5282a01a69e749b53bc9120dfa4f275546e160da61341624d7b9d4
Opcode Fuzzy Hash: ba98114bf3b0a030ea4b41d26c7b3bbd226440fe146fe5190cf03aab2457c5f6
Instruction Fuzzy Hash: 0C219DB1600706DBDB20DFA5C988BA77BF8FB50358F10441EE546D2251EB70EE04CBA0

Function 008A8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008A82AA

Strings

(, xrefs: 008A82F0
|, xrefs: 008A82DA

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 8b08c6ae05bedd6cd9a8b87268027b1dbf86e66281eb7de57bae71be12c0145f
Instruction ID: fd5888f1f2f5f74c23ef441e6f62ad37b42ea234780bd85399896259f999023c
Opcode Fuzzy Hash: 8b08c6ae05bedd6cd9a8b87268027b1dbf86e66281eb7de57bae71be12c0145f
Instruction Fuzzy Hash: 90323474A00A05DFDB28CF59C481A6AB7F0FF48710B15C46EE59ADB7A1EB70E981CB50

Function 008B5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008B5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 008B5D17
FindClose.KERNEL32(?), ref: 008B5D5F

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 12ac4c42ea126468e2165e3a709f2fd308c1ae1010080686f0669dfd564d1925
Instruction ID: abb5b4838a8496c10b01bcf7c125cf22f16d49d3172a77672eeba05fe49071d3
Opcode Fuzzy Hash: 12ac4c42ea126468e2165e3a709f2fd308c1ae1010080686f0669dfd564d1925
Instruction Fuzzy Hash: B75189746046019FC714CF28C494A96B7E4FF49314F18866EE95ACB3A2CB30E904CB92

Function 00872622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0087271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00872724
UnhandledExceptionFilter.KERNEL32(?), ref: 00872731

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 896fb97bc108c8413fffd98fab1e97216842128ccbfe5a7a44ff7d5deb714acc
Instruction ID: 84a3ef4cee99fd1181ff9ecc1f9918f3df5288ad1dfd05219111209bff60ad21
Opcode Fuzzy Hash: 896fb97bc108c8413fffd98fab1e97216842128ccbfe5a7a44ff7d5deb714acc
Instruction Fuzzy Hash: 6B31B5749112289BCB25DF68DD8979DB7B8FF18350F5042EAE81CA7261E7309F818F45

Function 008B51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008B51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 008B5238
SetErrorMode.KERNEL32(00000000), ref: 008B52A1

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: b2ff5b86e4999c7ca988c4e3d004fd563b2ad613eaf2a965c7676702a46739c7
Instruction ID: f1454f1416796b02f1b84a2d6cf75239fae9131f803f0ae8b0e47826d6c3d77a
Opcode Fuzzy Hash: b2ff5b86e4999c7ca988c4e3d004fd563b2ad613eaf2a965c7676702a46739c7
Instruction Fuzzy Hash: 56314B75A006189FDB00DF54D884EADBBB5FF49314F048099E845EB362DB31E856CB91

Function 008A16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0085FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00860668
Part of subcall function 0085FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00860685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008A170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008A173A
GetLastError.KERNEL32 ref: 008A174A

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: c3b1fdfce90459823d7f68f10c7a2b24e708bcfb9c736c8b662a2abaedc5681b
Instruction ID: b071068060af192b331865b9838e91c030426122a074cfc373d59b5179779359
Opcode Fuzzy Hash: c3b1fdfce90459823d7f68f10c7a2b24e708bcfb9c736c8b662a2abaedc5681b
Instruction Fuzzy Hash: 4611CEB2400309AFEB18AF54DC8AD6ABBF9FB04714B20852EE45697641EB70BC41CA20

Function 008AD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008AD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 008AD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008AD650

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 8452ddcefe69b0e141b78e8a27d8b1bf7a441c1f9a4be86e60bec8c329025795
Instruction ID: 31734d81900d62c88f9dcce35f320814c8b3a624f1a644919a8f15bf4566a010
Opcode Fuzzy Hash: 8452ddcefe69b0e141b78e8a27d8b1bf7a441c1f9a4be86e60bec8c329025795
Instruction Fuzzy Hash: BB113C75E05228BBEB148F959C45FAFBBBCFB45B50F108116F905E7290D6704A058BA1

Function 008A1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 008A168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008A16A1
FreeSid.ADVAPI32(?), ref: 008A16B1

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: fc0c2ee6ae17e8b96f48a1492c09e84da33c79d6396b97628aa3650caef7ee02
Instruction ID: 2c251ab86ce352bd0b36c68e32ff8222e977189dc9f3334626baee5427215acc
Opcode Fuzzy Hash: fc0c2ee6ae17e8b96f48a1492c09e84da33c79d6396b97628aa3650caef7ee02
Instruction Fuzzy Hash: 8CF0F471951309FBEF00DFE49C89AAEBBBCFB08604F504665E501E2181E774AA448A50

Function 0089D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0089D28C

Strings

X64, xrefs: 0089D2A8

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 0fed8144fa502257d76f40bb3eec8ba2f5e2ec09c6cba57b252f6898c062b3f8
Instruction ID: 7aa7662d56b6865bd84e4a6aa4011f5b6620660648efa66ed3796f27ccd8a27a
Opcode Fuzzy Hash: 0fed8144fa502257d76f40bb3eec8ba2f5e2ec09c6cba57b252f6898c062b3f8
Instruction Fuzzy Hash: B5D0C9B580121DEACF90DB90DC88DD9B37CFB14309F100252F506E2080D73095488F10

Function 0086CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 023b96ba1370262cf5d907b94f623bdff924deb4e4ba54148c7029d81f1a1b1f
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 54021B71E002199FDF14CFA9D8806ADFBF5FF88314F25816AD959EB380D731AA418B94

Function 008B68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008B6918
FindClose.KERNEL32(00000000), ref: 008B6961

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 8b9f191705c2a13d5b8358ba166b6c3e519875391ea1ee61275e30dc398f2f4e
Instruction ID: a5b1533b5eeaadfc699aabc7d8808150619429f09c17e51d113a3c80b868334f
Opcode Fuzzy Hash: 8b9f191705c2a13d5b8358ba166b6c3e519875391ea1ee61275e30dc398f2f4e
Instruction Fuzzy Hash: 1D1190316042159FD710DF29D484A16BBE5FF85328F14C699E869CF3A2DB34EC05CB91

Function 008B37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,008C4891,?,?,00000035,?), ref: 008B37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,008C4891,?,?,00000035,?), ref: 008B37F4

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 4e6b65a74633cd27dd325f093c612a42b70f078271216e9ad3845010b636911c
Instruction ID: 71411960193777dc371d633806385a4842af9d6ec772a7fff6a69f161848f91c
Opcode Fuzzy Hash: 4e6b65a74633cd27dd325f093c612a42b70f078271216e9ad3845010b636911c
Instruction Fuzzy Hash: ABF0E5B06052296AEB20276A9C4DFEB3BAEFFC4761F000275F509D2281DD609904C7B1

Function 008AB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 008AB25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 008AB270

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 720dab6483781e5180666e712822248e6629c9c9a980547faf915df274f54f7b
Instruction ID: 39064ca8ffeca8de80cb86442b766e546116f50649a5d53d9b4660d93d42dd1c
Opcode Fuzzy Hash: 720dab6483781e5180666e712822248e6629c9c9a980547faf915df274f54f7b
Instruction Fuzzy Hash: 47F01D7180424EABEB059FA4C805BAE7BB4FF05309F00814AF955A6192C7798611DF94

Function 008A10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008A11FC), ref: 008A10D4
CloseHandle.KERNEL32(?,?,008A11FC), ref: 008A10E9

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: a1ac9d85f904b861d02f993a5f4ff8369e042d17346425be0b73b88a1234e927
Instruction ID: 1843003482312f5f0ba3bdc4556471fe11ca2e49c3c8242e5c8a73e4133e01f2
Opcode Fuzzy Hash: a1ac9d85f904b861d02f993a5f4ff8369e042d17346425be0b73b88a1234e927
Instruction Fuzzy Hash: C1E04F32004601AEF7252B15FC0AE777BA9FB04311F10892EF9A5C04B1DB626C90DB10

Function 0084CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00890C40

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 4cd1f3b78dccffc4626c8067ddfafa833adcfe0d7cb2e54694beedd7a683052b
Instruction ID: bcb8e6644033072f87c3cb00670973e8d64dc2ea810c92c3ced170220b6d81be
Opcode Fuzzy Hash: 4cd1f3b78dccffc4626c8067ddfafa833adcfe0d7cb2e54694beedd7a683052b
Instruction Fuzzy Hash: 7D32597090121C9FCF54EF94C885AEDB7B9FF05308F148169E806EB292DB75AE49CB61

Function 0087676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00876766,?,?,00000008,?,?,0087FEFE,00000000), ref: 00876998

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 04814091a4a64dd84586e7729818b446d522ea46f0bb1ea8cb4c1a8cdc8ba049
Instruction ID: 58a193adc3f46c034a484f1788d24fd97f1fa401c70db927f77d045b4469deeb
Opcode Fuzzy Hash: 04814091a4a64dd84586e7729818b446d522ea46f0bb1ea8cb4c1a8cdc8ba049
Instruction Fuzzy Hash: D2B16C31510A099FD719CF28C486B647BE0FF05368F29C658E8ADCF2A6D335D9A1CB40

Function 0085B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0089851F

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ad31b83bb158c78e28b070a7a9437b11073ee8b60b91935570a7127fef65342b
Instruction ID: 2a32031af1fbc9849e9bd9b5b380b187d5b63006fd2c1aaef1e7d0ecca0de739
Opcode Fuzzy Hash: ad31b83bb158c78e28b070a7a9437b11073ee8b60b91935570a7127fef65342b
Instruction Fuzzy Hash: 58124D7190022ADFCF24DF58C880AEEB7F5FF58710F14819AE849EB251DB349A85CB94

Function 008BEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 008BEABD

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: dfacd40e12aed5d11c2bebfeacbaa4352774b48cbcef6752d7b45beec82f2d14
Instruction ID: 73590c79b452363b7c249f9fad17654da085db01fe144f7defc23d9622883515
Opcode Fuzzy Hash: dfacd40e12aed5d11c2bebfeacbaa4352774b48cbcef6752d7b45beec82f2d14
Instruction Fuzzy Hash: CEE01A312002189FC710EF69D804E9AF7EDFFA8760F00841AFC49C7391DAB0E8408B91

Function 008609D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008603EE), ref: 008609DA

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 70d501bd3b4a5dbf4bff16bb1155473d0b0bb20eeeb4cd174896bd70ae5ca04e
Instruction ID: 869b64016c35d42cc5192b0ae42ef4cdbff3424e92194e0274f10b5c3d08c8e3
Opcode Fuzzy Hash: 70d501bd3b4a5dbf4bff16bb1155473d0b0bb20eeeb4cd174896bd70ae5ca04e
Instruction Fuzzy Hash:

Function 0086781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0086798B

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 9946e82897407247882bf0a5d72e5869506e09ed1f8a945d986401f12405c208
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: E1518C7160C7499BDB38457C845DBBE27C5FB1234CF1A0639D986C7282CA19DE41D3DA

Function 00876DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef65c210be7ddc406f58ae9f3753c82ad7d2641cb246d12899f791a6bca4741a
Instruction ID: 3f54a7ba48ead5d77875b4eafba49102b58e36c4285960fa8953a39028773d14
Opcode Fuzzy Hash: ef65c210be7ddc406f58ae9f3753c82ad7d2641cb246d12899f791a6bca4741a
Instruction Fuzzy Hash: 3F320122D29F454DD7239634CC62335A64DBFB73C5F15D737E81AB99AAEB29C4838100

Function 0085CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ec396d124fe28d6dfa4230c577e06a6b276b344e4784eb15a60fcfd0fe0c79
Instruction ID: 1434ca8c372a0312308d0fbd0fc7fceaec852b905149446fc0a49e4b1d8a2121
Opcode Fuzzy Hash: 48ec396d124fe28d6dfa4230c577e06a6b276b344e4784eb15a60fcfd0fe0c79
Instruction Fuzzy Hash: 97322631A042598FDF28EF29C49067D7BE1FB45319F2C816AD85ADB292D332DD85DB40

Function 00847920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2595581dfd86f4d167a3854783a215f7c1343bca5b6d1933906413c2049455f2
Instruction ID: a97a055baf173612276343ff011470140504569768fb7c11c8cb1dbd658650e4
Opcode Fuzzy Hash: 2595581dfd86f4d167a3854783a215f7c1343bca5b6d1933906413c2049455f2
Instruction Fuzzy Hash: 0722AFB0A0460DDFDF14DFA8C881AAEB7B6FF44314F144529E816EB291EB36AD14CB51

Function 008491C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 842daa3f20ad02c48d991c2eecbe514770479d4e8b89709763b892f38612bb58
Instruction ID: 680e1a92837f174214a493b2a52bb54feb7bcd417506a9f025dbb2e5d2be2bea
Opcode Fuzzy Hash: 842daa3f20ad02c48d991c2eecbe514770479d4e8b89709763b892f38612bb58
Instruction Fuzzy Hash: 1702D6B0E00219EFDB14EF58D881AAEB7B5FF54304F118169E856DB291EB31EE14CB91

Function 00879EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b36532400609a4b6ded0d6cb7d10ade8b274e4a774f99619d3b49b32cbfdaf
Instruction ID: 6caf65d57398124a303dedfc6a546521790800a7def42fc6aa84ec274cc3adfb
Opcode Fuzzy Hash: 88b36532400609a4b6ded0d6cb7d10ade8b274e4a774f99619d3b49b32cbfdaf
Instruction Fuzzy Hash: 3CB12520D2AF804DD32396399875336B65CBFBB2C5F91D31BFC2679E66EB2285834140

Function 00861C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 997defb9c28eff44361f11602f74cbd2973be7d0130824955c8f7b099be286f7
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 589156726080E34ADF6D463A857847DFFE1EA523A131F079ED4F2CA1C6EE14D954E620

Function 00861F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: caa1aa5a7d88b938df29c71a7b5a6f95e2c8ac0a5dd269650ab1c51a268d465b
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: C391447220D4A349DB6D463A857843EFFE1AA923A131F07DDD4F2CA1C6EE249564E720

Function 008619B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 33718bad52d9e4376ea89cb4f9ec68caebc2a0687650c19eeffe9c4283ee7ed3
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 8C9110722090E34ADF6D467A957C43DFEE1AA923B631F079DD4F2CA1C2FE148554A620

Function 00867A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbf6756e8d017bafcc7ff920b40dae79cdbdd9183f373b6fa03199e9ba86264
Instruction ID: b2e2ef95d0db15e4b848e248d8fb86774154599ca99ae6ade016466e605aa95b
Opcode Fuzzy Hash: cfbf6756e8d017bafcc7ff920b40dae79cdbdd9183f373b6fa03199e9ba86264
Instruction Fuzzy Hash: 72619B3120C71996DE349A6C8CA5BBE3394FF4176CF230A1AE943DB281DA11DE42C3D6

Function 00867CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a59e9997c5f9f640e7924b6a0c34cc59f90716c59551cf302837308d5a21d78
Instruction ID: 9af02686f8b5fb7d300f77e7e9f64449b69f75c8fe064319908756e9044d22ff
Opcode Fuzzy Hash: 3a59e9997c5f9f640e7924b6a0c34cc59f90716c59551cf302837308d5a21d78
Instruction Fuzzy Hash: 70618C7160870996DF388A2C8856BBF2394FF42B0CF120D59E943DB289EA129D4583D6

Function 00861706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 1bb862a8ec9ba398e632943b57321fc4ad882a855dfb1d9a390b2de730955dc5
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 8D8143726090A349DF6D463A857843EFFE1BA923A131F07ADD4F2CB1C6EE249554E620

Function 008B2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b60dbbd48723df134c77622d234468885475f8773e937147f100536b5060af39
Instruction ID: f6ab05e7c1da338b02c45480c5d1cd15e57ec169573119e3fa363716c55c4b86
Opcode Fuzzy Hash: b60dbbd48723df134c77622d234468885475f8773e937147f100536b5060af39
Instruction Fuzzy Hash: 1F21A8327206158BD728DF79C8126BA73E5F754310F15862EE4A7C37D0DE35A945DB40

Function 008C2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008C2B30
DeleteObject.GDI32(00000000), ref: 008C2B43
DestroyWindow.USER32 ref: 008C2B52
GetDesktopWindow.USER32 ref: 008C2B6D
GetWindowRect.USER32(00000000), ref: 008C2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 008C2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 008C2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008C2CF8
GetClientRect.USER32(00000000,?), ref: 008C2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 008C2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008C2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008C2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008C2D80
GlobalLock.KERNEL32(00000000), ref: 008C2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008C2D98
GlobalUnlock.KERNEL32(00000000), ref: 008C2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008C2DA8
GlobalFree.KERNEL32(00000000), ref: 008C2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008C2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,008DFC38,00000000), ref: 008C2DDB
GlobalFree.KERNEL32(00000000), ref: 008C2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 008C2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 008C2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008C2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008C303F

Strings

static, xrefs: 008C2D3A, 008C2E91
, xrefs: 008C2FC5
AutoIt v3, xrefs: 008C2CF2
DISPLAY, xrefs: 008C2EA2

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 422c8cf66616532f4f486637baf76e138b7a188affbecf60d2b23831b08c7849
Instruction ID: 94f8435d87aaab575e128cd3db84119fe74600886b09815934a56b9042e659ef
Opcode Fuzzy Hash: 422c8cf66616532f4f486637baf76e138b7a188affbecf60d2b23831b08c7849
Instruction Fuzzy Hash: 14024C75600219AFDB14DF68CC89EAE7BB9FB48310F048659F915EB2A1DB74ED01CB60

Function 008D70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 008D712F
GetSysColorBrush.USER32(0000000F), ref: 008D7160
GetSysColor.USER32(0000000F), ref: 008D716C
SetBkColor.GDI32(?,000000FF), ref: 008D7186
SelectObject.GDI32(?,?), ref: 008D7195
InflateRect.USER32(?,000000FF,000000FF), ref: 008D71C0
GetSysColor.USER32(00000010), ref: 008D71C8
CreateSolidBrush.GDI32(00000000), ref: 008D71CF
FrameRect.USER32(?,?,00000000), ref: 008D71DE
DeleteObject.GDI32(00000000), ref: 008D71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 008D7230
FillRect.USER32(?,?,?), ref: 008D7262
GetWindowLongW.USER32(?,000000F0), ref: 008D7284

Part of subcall function 008D73E8: GetSysColor.USER32(00000012), ref: 008D7421
Part of subcall function 008D73E8: SetTextColor.GDI32(?,?), ref: 008D7425
Part of subcall function 008D73E8: GetSysColorBrush.USER32(0000000F), ref: 008D743B
Part of subcall function 008D73E8: GetSysColor.USER32(0000000F), ref: 008D7446
Part of subcall function 008D73E8: GetSysColor.USER32(00000011), ref: 008D7463
Part of subcall function 008D73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 008D7471
Part of subcall function 008D73E8: SelectObject.GDI32(?,00000000), ref: 008D7482
Part of subcall function 008D73E8: SetBkColor.GDI32(?,00000000), ref: 008D748B
Part of subcall function 008D73E8: SelectObject.GDI32(?,?), ref: 008D7498
Part of subcall function 008D73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008D74B7
Part of subcall function 008D73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008D74CE
Part of subcall function 008D73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008D74DB

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 4e81957d5c33d2ef8901cedae98228334c211938796cc76c18528e422c645a93
Instruction ID: c15253ad55b49c575ddce133bccbd446390794771ae5c486b82372f5f9b6bacb
Opcode Fuzzy Hash: 4e81957d5c33d2ef8901cedae98228334c211938796cc76c18528e422c645a93
Instruction Fuzzy Hash: 27A18072009312AFDB119F64DC48E5BBBB9FB49321F100B1AF962D62E1E771E944CB51

Function 00858D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00858E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00896AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00896AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00896F43

Part of subcall function 00858F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00858BE8,?,00000000,?,?,?,?,00858BBA,00000000,?), ref: 00858FC5

SendMessageW.USER32(?,00001053), ref: 00896F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00896F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00896FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00896FB7

Strings

0, xrefs: 00896DCF

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 631f8897636fbd1fa6ee6d2f1d4233efb46796b13cb8220f7f60ce57740c31ab
Instruction ID: 879dfce597a2af6c4b0e6dffb0e0609858e4ef0021526d78a73311423b92a2dd
Opcode Fuzzy Hash: 631f8897636fbd1fa6ee6d2f1d4233efb46796b13cb8220f7f60ce57740c31ab
Instruction Fuzzy Hash: 9C12CC30205201EFCB25EF28D845BA9B7F1FB44311F18816AF995DB261EB31EC65DB91

Function 008C2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 008C273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 008C286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008C28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008C28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 008C2900
GetClientRect.USER32(00000000,?), ref: 008C290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 008C2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 008C2964
GetStockObject.GDI32(00000011), ref: 008C2974
SelectObject.GDI32(00000000,00000000), ref: 008C2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 008C2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008C2991
DeleteDC.GDI32(00000000), ref: 008C299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008C29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008C29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 008C2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 008C2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 008C2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 008C2A77
GetStockObject.GDI32(00000011), ref: 008C2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 008C2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 008C2A97

Strings

static, xrefs: 008C294F, 008C2A71
AutoIt v3, xrefs: 008C28F8
msctls_progress32, xrefs: 008C2A13
DISPLAY, xrefs: 008C295A

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 4825126949eead3fd1945be68d8ad1afdcf5f7289b4c4333b72ce055b21dc212
Instruction ID: e8439ea99348bd4a3ef3ba54c0c612f4a98611c6d30f0efe7d925112c3e2b69d
Opcode Fuzzy Hash: 4825126949eead3fd1945be68d8ad1afdcf5f7289b4c4333b72ce055b21dc212
Instruction Fuzzy Hash: 80B12B71A50219AFEB14DF68DC85FAEBBB9FB48710F008619FA15EB290D774E940CB50

Function 008B4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008B4AED
GetDriveTypeW.KERNEL32(?,008DCB68,?,\\.\,008DCC08), ref: 008B4BCA
SetErrorMode.KERNEL32(00000000,008DCB68,?,\\.\,008DCC08), ref: 008B4D36

Strings

Removable, xrefs: 008B4C10, 008B4C15
FileBackedVirtual, xrefs: 008B4CEC
Unknown, xrefs: 008B4BED, 008B4C83
SSD, xrefs: 008B4C4A
ATAPI, xrefs: 008B4C91
Fixed, xrefs: 008B4C09
\\.\, xrefs: 008B4B3F
SAS, xrefs: 008B4CC9
Virtual, xrefs: 008B4CE5
CDROM, xrefs: 008B4BFB
PhysicalDrive, xrefs: 008B4B76
SSA, xrefs: 008B4CA6
iSCSI, xrefs: 008B4CC2
SATA, xrefs: 008B4CD0
1394, xrefs: 008B4C9F
Fibre, xrefs: 008B4CAD
USB, xrefs: 008B4CB4
Network, xrefs: 008B4C02
ATA, xrefs: 008B4C98
MMC, xrefs: 008B4CDE
RAMDisk, xrefs: 008B4BF4
RAID, xrefs: 008B4CBB
SCSI, xrefs: 008B4C8A

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 13fd44051d2bc662b405bd2d72fb711a9a4cfb824a244d66bdc4b17490f42e68
Instruction ID: badb65f117f9f3999a324c5cb131a0517628dd883be4918a59fa3666fa11523e
Opcode Fuzzy Hash: 13fd44051d2bc662b405bd2d72fb711a9a4cfb824a244d66bdc4b17490f42e68
Instruction Fuzzy Hash: 7A619E3060520A9FCB14DF28CA939BD7BA0FB45B08B24A415E806EB7D3DB35ED55DB42

Function 008D73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 008D7421
SetTextColor.GDI32(?,?), ref: 008D7425
GetSysColorBrush.USER32(0000000F), ref: 008D743B
GetSysColor.USER32(0000000F), ref: 008D7446
CreateSolidBrush.GDI32(?), ref: 008D744B
GetSysColor.USER32(00000011), ref: 008D7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 008D7471
SelectObject.GDI32(?,00000000), ref: 008D7482
SetBkColor.GDI32(?,00000000), ref: 008D748B
SelectObject.GDI32(?,?), ref: 008D7498
InflateRect.USER32(?,000000FF,000000FF), ref: 008D74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008D74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 008D74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008D752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 008D7554
InflateRect.USER32(?,000000FD,000000FD), ref: 008D7572
DrawFocusRect.USER32(?,?), ref: 008D757D
GetSysColor.USER32(00000011), ref: 008D758E
SetTextColor.GDI32(?,00000000), ref: 008D7596
DrawTextW.USER32(?,008D70F5,000000FF,?,00000000), ref: 008D75A8
SelectObject.GDI32(?,?), ref: 008D75BF
DeleteObject.GDI32(?), ref: 008D75CA
SelectObject.GDI32(?,?), ref: 008D75D0
DeleteObject.GDI32(?), ref: 008D75D5
SetTextColor.GDI32(?,?), ref: 008D75DB
SetBkColor.GDI32(?,?), ref: 008D75E5

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: d88d75e240f739627edf08093a0302e7a0457d75596d3df298432578e144f5d6
Instruction ID: 8d85d24bfed65081f109b1849e4a1d9cbaf05cdada3f3a994cfc0d9a541c090a
Opcode Fuzzy Hash: d88d75e240f739627edf08093a0302e7a0457d75596d3df298432578e144f5d6
Instruction Fuzzy Hash: 0F614C72905219AFDF019FA4DC49EEEBFB9FB08320F114216F915AB2A1E7759940CB90

Function 008D0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008D1128
GetDesktopWindow.USER32 ref: 008D113D
GetWindowRect.USER32(00000000), ref: 008D1144
GetWindowLongW.USER32(?,000000F0), ref: 008D1199
DestroyWindow.USER32(?), ref: 008D11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008D11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008D120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008D121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 008D1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 008D1245
IsWindowVisible.USER32(00000000), ref: 008D12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008D12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008D12D0
GetWindowRect.USER32(00000000,?), ref: 008D12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 008D130E
GetMonitorInfoW.USER32(00000000,?), ref: 008D1328
CopyRect.USER32(?,?), ref: 008D133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 008D13AA

Strings

tooltips_class32, xrefs: 008D11E6
(, xrefs: 008D131B
0, xrefs: 008D10D3

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 657f797be39a27c0bb4647c6a5af4c79990456da58be56afb6de1018028b74b9
Instruction ID: ecfcc459f9ceeb3a1e82c5cbc55edd791db51cb99e6f4bdb85898d6e360238ee
Opcode Fuzzy Hash: 657f797be39a27c0bb4647c6a5af4c79990456da58be56afb6de1018028b74b9
Instruction Fuzzy Hash: A7B15C71604341AFDB14DF68D889B6ABBE4FF84354F008A1EF999DB261C771E844CB92

Function 00858891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00858968
GetSystemMetrics.USER32(00000007), ref: 00858970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0085899B
GetSystemMetrics.USER32(00000008), ref: 008589A3
GetSystemMetrics.USER32(00000004), ref: 008589C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008589E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008589F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00858A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00858A3C
GetClientRect.USER32(00000000,000000FF), ref: 00858A5A
GetStockObject.GDI32(00000011), ref: 00858A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00858A81

Part of subcall function 0085912D: GetCursorPos.USER32(?), ref: 00859141
Part of subcall function 0085912D: ScreenToClient.USER32(00000000,?), ref: 0085915E
Part of subcall function 0085912D: GetAsyncKeyState.USER32(00000001), ref: 00859183
Part of subcall function 0085912D: GetAsyncKeyState.USER32(00000002), ref: 0085919D

SetTimer.USER32(00000000,00000000,00000028,008590FC), ref: 00858AA8

Strings

AutoIt v3 GUI, xrefs: 00858A20

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 1aeee052a0f991e26af72bb2b2adc3cc3d2e4abb6e0910bdaaeb53858e047e1b
Instruction ID: 9df406f9afed4b38e23c4e69b87df6b902b4069baa6e0fe611bf1ec09c7eb9e8
Opcode Fuzzy Hash: 1aeee052a0f991e26af72bb2b2adc3cc3d2e4abb6e0910bdaaeb53858e047e1b
Instruction Fuzzy Hash: 11B15831A0020AEFDF14DFA8DC45BAE3BB5FB48315F14822AFA15E7290DB34A841CB51

Function 008A0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008A1114
Part of subcall function 008A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,008A0B9B,?,?,?), ref: 008A1120
Part of subcall function 008A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008A0B9B,?,?,?), ref: 008A112F
Part of subcall function 008A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008A0B9B,?,?,?), ref: 008A1136
Part of subcall function 008A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008A0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008A0E29
GetLengthSid.ADVAPI32(?), ref: 008A0E40
GetAce.ADVAPI32(?,00000000,?), ref: 008A0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008A0E96
GetLengthSid.ADVAPI32(?), ref: 008A0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 008A0EB5
HeapAlloc.KERNEL32(00000000), ref: 008A0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008A0EDD
CopySid.ADVAPI32(00000000), ref: 008A0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008A0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008A0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008A0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008A0F6E
HeapFree.KERNEL32(00000000), ref: 008A0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008A0F7E
HeapFree.KERNEL32(00000000), ref: 008A0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008A0F8E
HeapFree.KERNEL32(00000000), ref: 008A0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 008A0FA1
HeapFree.KERNEL32(00000000), ref: 008A0FA8

Part of subcall function 008A1193: GetProcessHeap.KERNEL32(00000008,008A0BB1,?,00000000,?,008A0BB1,?), ref: 008A11A1
Part of subcall function 008A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,008A0BB1,?), ref: 008A11A8
Part of subcall function 008A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,008A0BB1,?), ref: 008A11B7

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: fd339ee836a982b080bdac4b34067d8f019da2161454ca50ef6daf9eab59f74e
Instruction ID: 15aae4e18d2cbeef9aca741933fd4d2df60551a75a1ef7be711588d3597e3c0c
Opcode Fuzzy Hash: fd339ee836a982b080bdac4b34067d8f019da2161454ca50ef6daf9eab59f74e
Instruction Fuzzy Hash: 3F714A7290121AEFEF209FA4DC48BAEBBB8FF05311F044216E959F6191DB71A915CF60

Function 008CC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008CC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,008DCC08,00000000,?,00000000,?,?), ref: 008CC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 008CC5A4
_wcslen.LIBCMT ref: 008CC5F4
_wcslen.LIBCMT ref: 008CC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 008CC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 008CC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 008CC84D
RegCloseKey.ADVAPI32(?), ref: 008CC881
RegCloseKey.ADVAPI32(00000000), ref: 008CC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 008CC960

Strings

REG_MULTI_SZ, xrefs: 008CC6F5
REG_QWORD, xrefs: 008CC8C3
REG_BINARY, xrefs: 008CC913
REG_SZ, xrefs: 008CC644
REG_EXPAND_SZ, xrefs: 008CC5CD
REG_DWORD, xrefs: 008CC804

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: a37ae1436c71e66bda6e8511c3e7de0a80ec91af91c9db3953286e90260c8871
Instruction ID: 0c0466c7585fe2100980dd8bce5dfa906d77d7e9eb2c5479a123a9b46054af3a
Opcode Fuzzy Hash: a37ae1436c71e66bda6e8511c3e7de0a80ec91af91c9db3953286e90260c8871
Instruction Fuzzy Hash: A71224356042159FDB14DF18C891E2ABBE5FF88714F05885DF88A9B2A2DB31ED41CB82

Function 008D091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008D09C6
_wcslen.LIBCMT ref: 008D0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008D0A54
_wcslen.LIBCMT ref: 008D0A8A
_wcslen.LIBCMT ref: 008D0B06
_wcslen.LIBCMT ref: 008D0B81

Part of subcall function 0085F9F2: _wcslen.LIBCMT ref: 0085F9FD

Part of subcall function 008A2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008A2BFA

Strings

ISCHECKED, xrefs: 008D0CE1
EXPAND, xrefs: 008D0BF8
COLLAPSE, xrefs: 008D0B01, 008D0B1C
UNCHECK, xrefs: 008D0D3E
SELECT, xrefs: 008D0D11
GETSELECTED, xrefs: 008D0C4E
GETITEMCOUNT, xrefs: 008D0C1E
CHECK, xrefs: 008D0A85, 008D0AA0
GETTEXT, xrefs: 008D0C97
GETTOTALCOUNT, xrefs: 008D09F2, 008D0A17
EXISTS, xrefs: 008D0B7C, 008D0B97

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 1dc6d836df5f7593af57fe146d9755f5e783dc5d4cdb604a65c43662014c4cc2
Instruction ID: 9c0d6d970b874c0f2a4aa1665de8bb34c37a97ded802c4d31ef7a584bbf8b5f9
Opcode Fuzzy Hash: 1dc6d836df5f7593af57fe146d9755f5e783dc5d4cdb604a65c43662014c4cc2
Instruction Fuzzy Hash: 16E147316087159FC714DF28C450A2AB7E2FF98318F158A5AF896DB3A2D731ED45CB82

Function 008CC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,008CB6AE,?,?), ref: 008CC9B5
_wcslen.LIBCMT ref: 008CC9F1
_wcslen.LIBCMT ref: 008CCA68
_wcslen.LIBCMT ref: 008CCA9E
_wcslen.LIBCMT ref: 008CCAF9
_wcslen.LIBCMT ref: 008CCB2F
_wcslen.LIBCMT ref: 008CCB7F

Strings

HKLM, xrefs: 008CCA98, 008CCA9D
HKEY_LOCAL_MACHINE, xrefs: 008CCA62, 008CCA67
HKCU, xrefs: 008CCBCE
HKU, xrefs: 008CCBF0
HKEY_CLASSES_ROOT, xrefs: 008CCAF3, 008CCAF8
HKEY_CURRENT_CONFIG, xrefs: 008CCB79, 008CCB7E
HKCC, xrefs: 008CCBAC
HKCR, xrefs: 008CCB29, 008CCB2E
HKEY_CURRENT_USER, xrefs: 008CCBBD
HKEY_USERS, xrefs: 008CCBDF

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: ca6b92bce784b4b64c65325743437cc5b9cd217a8ff2bb43bd7916af7346098e
Instruction ID: 709b7916060d5be8334e4a05702fc79d3ebba2e634ff13e8993c484cdf7f488a
Opcode Fuzzy Hash: ca6b92bce784b4b64c65325743437cc5b9cd217a8ff2bb43bd7916af7346098e
Instruction Fuzzy Hash: 3371D272A0052A8BCB20DEBC8941FBE77B1FB60764F15052CF86AE7285E631DD45C3A1

Function 008D833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008D835A
_wcslen.LIBCMT ref: 008D836E
_wcslen.LIBCMT ref: 008D8391
_wcslen.LIBCMT ref: 008D83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008D83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,008D361A,?), ref: 008D844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008D8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008D84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008D8501
FreeLibrary.KERNEL32(?), ref: 008D850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008D851D
DestroyIcon.USER32(?), ref: 008D852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 008D8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 008D8555

Strings

.icl, xrefs: 008D8368
.exe, xrefs: 008D8388
.dll, xrefs: 008D83AB

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 6ee05af73e89fbbc9e25a827a421ec95205ad776840edfec12fc6dbb2fd03ebe
Instruction ID: ba60f3c493400c09b9c7bb8836d4e5fcb1f8920a4be2c266dddd1fe09e06952d
Opcode Fuzzy Hash: 6ee05af73e89fbbc9e25a827a421ec95205ad776840edfec12fc6dbb2fd03ebe
Instruction Fuzzy Hash: 3B619D7194021AFAEB14DF68DC45BBE77A8FB04B21F10460AF915DA2D1DF74A990CBA0

Function 00847778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#OnAutoItStartRegister, xrefs: 00847817
#include-once, xrefs: 0084782F
Cannot parse #include, xrefs: 00885279
', xrefs: 00885169
#comments-start, xrefs: 0084785F, 008478B1
#ce, xrefs: 008478ED
Unterminated group of comments, xrefs: 0088528C
#pragma compile, xrefs: 008477D3
#comments-end, xrefs: 008478D9
", xrefs: 00885153
#include, xrefs: 00847847
#notrayicon, xrefs: 008477E7
Bad directive syntax error, xrefs: 0088519A
#requireadmin, xrefs: 008477FF
#cs, xrefs: 00847873, 008478C5

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: c4ee5ed7cc62abcad1ec570f84390456f9711ec8719e52801e8390ac2df18b03
Instruction ID: 3320eb7a21cc56246116995c63d8491dbd3c6d856d244611c5d72567ff15bca8
Opcode Fuzzy Hash: c4ee5ed7cc62abcad1ec570f84390456f9711ec8719e52801e8390ac2df18b03
Instruction Fuzzy Hash: D8810671A44209BBDB20BF68DC42FAE77A8FF15300F054025F905EB292EB75DA15C792

Function 008B3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 008B3EF8
_wcslen.LIBCMT ref: 008B3F03
_wcslen.LIBCMT ref: 008B3F5A
_wcslen.LIBCMT ref: 008B3F98
GetDriveTypeW.KERNEL32(?), ref: 008B3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008B401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008B4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008B4087

Strings

type cdaudio alias cd wait, xrefs: 008B4001
closed, xrefs: 008B3F08, 008B3F2D, 008B3F46, 008B3F7E, 008B3F97
set cd door , xrefs: 008B4028
open , xrefs: 008B3FE5
open, xrefs: 008B3F54, 008B3F59
close cd wait, xrefs: 008B4072
wait, xrefs: 008B4044
close, xrefs: 008B3EFE, 008B3F18

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 907e9db13e7dcdc0a7353cc052c53324d74d8d963124380b0617c06eaee271e4
Instruction ID: 2f78ebb4a7fb796f1e2cb5308ee0991bad30f73ec3b453bce118c9e25424b9bc
Opcode Fuzzy Hash: 907e9db13e7dcdc0a7353cc052c53324d74d8d963124380b0617c06eaee271e4
Instruction Fuzzy Hash: 6871AE329046169FC310EF28C8818AAB7E4FF94758F10492DF995D7391EB31ED49CB52

Function 008A5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 008A5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 008A5A40
SetWindowTextW.USER32(?,?), ref: 008A5A57
GetDlgItem.USER32(?,000003EA), ref: 008A5A6C
SetWindowTextW.USER32(00000000,?), ref: 008A5A72
GetDlgItem.USER32(?,000003E9), ref: 008A5A82
SetWindowTextW.USER32(00000000,?), ref: 008A5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 008A5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 008A5AC3
GetWindowRect.USER32(?,?), ref: 008A5ACC
_wcslen.LIBCMT ref: 008A5B33
SetWindowTextW.USER32(?,?), ref: 008A5B6F
GetDesktopWindow.USER32 ref: 008A5B75
GetWindowRect.USER32(00000000), ref: 008A5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 008A5BD3
GetClientRect.USER32(?,?), ref: 008A5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 008A5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 008A5C2F

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 6fd3821fc1b8ecb84ec816e3334d0cc2255e087e8a0ca08d724df2810db4eafe
Instruction ID: a88f5c5ae81fad0ca22067ed70fc327c319fcbc552904f709a7bf4fc3a8b1475
Opcode Fuzzy Hash: 6fd3821fc1b8ecb84ec816e3334d0cc2255e087e8a0ca08d724df2810db4eafe
Instruction Fuzzy Hash: 88717031A00B09AFEB20DFA8CD45B6EBBF5FF48715F104619E142E29A0D775E945CB60

Function 008BFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 008BFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 008BFE32
LoadCursorW.USER32(00000000,00007F00), ref: 008BFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 008BFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 008BFE53
LoadCursorW.USER32(00000000,00007F01), ref: 008BFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 008BFE69
LoadCursorW.USER32(00000000,00007F88), ref: 008BFE74
LoadCursorW.USER32(00000000,00007F80), ref: 008BFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 008BFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 008BFE95
LoadCursorW.USER32(00000000,00007F85), ref: 008BFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 008BFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 008BFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 008BFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 008BFECC
GetCursorInfo.USER32(?), ref: 008BFEDC
GetLastError.KERNEL32 ref: 008BFF1E

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: dad682cefeb7106a6c1d04171bcc23fe2a5fb0830ef1dc66e5138cf4b0bda25f
Instruction ID: 228060f48ca5fd31fd294b53facaf88f562cfeb88b124f50fc5d61fcc41008cd
Opcode Fuzzy Hash: dad682cefeb7106a6c1d04171bcc23fe2a5fb0830ef1dc66e5138cf4b0bda25f
Instruction Fuzzy Hash: D34142B0D453196ADB109FBA8C8986EBFE8FF04754B50452AF11DE7381DB78E901CE91

Function 008600C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008600C6

Part of subcall function 008600ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0091070C,00000FA0,DB1C649F,?,?,?,?,008823B3,000000FF), ref: 0086011C
Part of subcall function 008600ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008823B3,000000FF), ref: 00860127
Part of subcall function 008600ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008823B3,000000FF), ref: 00860138
Part of subcall function 008600ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0086014E
Part of subcall function 008600ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0086015C
Part of subcall function 008600ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0086016A
Part of subcall function 008600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00860195
Part of subcall function 008600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008601A0

___scrt_fastfail.LIBCMT ref: 008600E7

Part of subcall function 008600A3: __onexit.LIBCMT ref: 008600A9

Strings

InitializeConditionVariable, xrefs: 00860148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00860122
kernel32.dll, xrefs: 00860133
SleepConditionVariableCS, xrefs: 00860154
WakeAllConditionVariable, xrefs: 00860162

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 758a1f27d2ecf045f726833eb898195df6c67eec030cef94c1db20396835301a
Instruction ID: 8aa1bec14edf87875d1de470adae013c7a7937babd60009337d3690ed9ce67e9
Opcode Fuzzy Hash: 758a1f27d2ecf045f726833eb898195df6c67eec030cef94c1db20396835301a
Instruction Fuzzy Hash: 1E2129326457156BDB105BA8AC06B6B33A4FB46B51F01023BF902D73D2DFA49800CE95

Function 008A30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008A318D
_wcslen.LIBCMT ref: 008A31F8

Strings

INSTANCE, xrefs: 008A3453
CLASS, xrefs: 008A3188, 008A31A5
REGEXPCLASS, xrefs: 008A3255, 008A3266
NAME, xrefs: 008A3335, 008A3346
TEXT, xrefs: 008A347C
CLASSNN, xrefs: 008A31F3, 008A3204

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: bca9c51bd1f4bd075b4e4a8747f715d99617a760e9f3ddd07555ef176b66fe01
Instruction ID: e45f04492ddc81c6c5621533bca50996cb41bc5b068137697880ee412f21b350
Opcode Fuzzy Hash: bca9c51bd1f4bd075b4e4a8747f715d99617a760e9f3ddd07555ef176b66fe01
Instruction Fuzzy Hash: 23E1E531A00616ABEB18DFB8C4517EEFBB0FF56710F158129F456E7640EB30AE858B90

Function 008B44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,008DCC08), ref: 008B4527
_wcslen.LIBCMT ref: 008B453B
_wcslen.LIBCMT ref: 008B4599
_wcslen.LIBCMT ref: 008B45F4
_wcslen.LIBCMT ref: 008B463F
_wcslen.LIBCMT ref: 008B46A7

Part of subcall function 0085F9F2: _wcslen.LIBCMT ref: 0085F9FD

GetDriveTypeW.KERNEL32(?,00906BF0,00000061), ref: 008B4743

Strings

ramdisk, xrefs: 008B46F1
unknown, xrefs: 008B4708
cdrom, xrefs: 008B458F, 008B4594
removable, xrefs: 008B45EA, 008B45EF
all, xrefs: 008B4531, 008B4536
network, xrefs: 008B469D, 008B46A2
fixed, xrefs: 008B4635, 008B463A

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: c96b22e9e4f00f3864ca2276d4d521c23790d3ae5d3f6f89882e79ec0f677f94
Instruction ID: cec7525f024e3e710126a6120fe9e85a60164f0904d61edfcb8502abb2e93e7f
Opcode Fuzzy Hash: c96b22e9e4f00f3864ca2276d4d521c23790d3ae5d3f6f89882e79ec0f677f94
Instruction Fuzzy Hash: 04B1C0716083029FC720DF28C892AAEB7E5FFA6764F50591DF496C7392EB30D844CA52

Function 008C3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,008DCC08), ref: 008C40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008C40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,008DCC08), ref: 008C40F2
FreeLibrary.KERNEL32(00000000,?,008DCC08), ref: 008C413E
StringFromGUID2.OLE32(?,?,00000028,?,008DCC08), ref: 008C41A8
SysFreeString.OLEAUT32(00000009), ref: 008C4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008C42C8
SysFreeString.OLEAUT32(?), ref: 008C42F2

Strings

GetModuleHandleExW, xrefs: 008C40C7
kernel32.dll, xrefs: 008C40B6

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 176c67ece7f6a90f99c2d91deb9eccb161f5f2e5b8e0c0cb6e5098898abae95d
Instruction ID: 723cb2c68e25a3cc3338c5d5cb15ba2d9f3ded57eeae32480c580f47f0c517fd
Opcode Fuzzy Hash: 176c67ece7f6a90f99c2d91deb9eccb161f5f2e5b8e0c0cb6e5098898abae95d
Instruction Fuzzy Hash: 81122875A00119EFDB14CF94C894EAEBBB5FF85318F248099E905DB251D731ED86CBA0

Function 0084326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00911990), ref: 00882F8D
GetMenuItemCount.USER32(00911990), ref: 0088303D
GetCursorPos.USER32(?), ref: 00883081
SetForegroundWindow.USER32(00000000), ref: 0088308A
TrackPopupMenuEx.USER32(00911990,00000000,?,00000000,00000000,00000000), ref: 0088309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008830A9

Strings

0, xrefs: 0084327D

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 664f1a8ccd228f572c6493e8f6da1a1a5bde8d510fe4e79b9175c3ac674d272e
Instruction ID: 282106f0cadb7f4206d44080dae46ee2dd444e6941da3eb83038697c3a16b970
Opcode Fuzzy Hash: 664f1a8ccd228f572c6493e8f6da1a1a5bde8d510fe4e79b9175c3ac674d272e
Instruction Fuzzy Hash: 7371197064021ABEEB319F28DC49F9ABF64FF05324F204316F624E61E1CBB1A910DB51

Function 008D6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 008D6DEB

Part of subcall function 00846B57: _wcslen.LIBCMT ref: 00846B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 008D6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 008D6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008D6E94
DestroyWindow.USER32(?), ref: 008D6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00840000,00000000), ref: 008D6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008D6EFD
GetDesktopWindow.USER32 ref: 008D6F16
GetWindowRect.USER32(00000000), ref: 008D6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008D6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 008D6F4D

Part of subcall function 00859944: GetWindowLongW.USER32(?,000000EB), ref: 00859952

Strings

0, xrefs: 008D6D98
tooltips_class32, xrefs: 008D6E58, 008D6EDD

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 8265535d3b9672c582701ac168663124e65f10badd8df3c659959afa41375fdc
Instruction ID: 916976f6c9a5a60689a10632f674f9a67b37ef1e75f1f89a3e99a031f5957edc
Opcode Fuzzy Hash: 8265535d3b9672c582701ac168663124e65f10badd8df3c659959afa41375fdc
Instruction Fuzzy Hash: F0716874104249AFDB21CF18E844EAABBF9FB89304F14461EF999C7361EB70E915DB12

Function 008D911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

DragQueryPoint.SHELL32(?,?), ref: 008D9147

Part of subcall function 008D7674: ClientToScreen.USER32(?,?), ref: 008D769A
Part of subcall function 008D7674: GetWindowRect.USER32(?,?), ref: 008D7710
Part of subcall function 008D7674: PtInRect.USER32(?,?,008D8B89), ref: 008D7720

SendMessageW.USER32(?,000000B0,?,?), ref: 008D91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008D91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008D91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 008D9225
SendMessageW.USER32(?,000000B0,?,?), ref: 008D923E
SendMessageW.USER32(?,000000B1,?,?), ref: 008D9255
SendMessageW.USER32(?,000000B1,?,?), ref: 008D9277
DragFinish.SHELL32(?), ref: 008D927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 008D9371

Strings

@GUI_DRAGID, xrefs: 008D92E9
@GUI_DRAGFILE, xrefs: 008D9320
@GUI_DROPID, xrefs: 008D929E

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: dcc1083d6383e1a7c3af1632fb763a2c629b6f451eabec00ccde9ad8055434b4
Instruction ID: 95ffadc2a4113aab7e94cba615bdc2f433ff87ce49dd6bd403d1fc877288dbd2
Opcode Fuzzy Hash: dcc1083d6383e1a7c3af1632fb763a2c629b6f451eabec00ccde9ad8055434b4
Instruction Fuzzy Hash: 45616971108305AFC701DF68DC85DAFBBE8FF98750F000A2EF5A5922A1DB709A49CB52

Function 008BC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008BC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 008BC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 008BC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 008BC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 008BC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 008BC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008BC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008BC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 008BC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 008BC5F0
InternetCloseHandle.WININET(00000000), ref: 008BC5FB

Strings

, xrefs: 008BC575

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 55bad5ad8b56ebe87b46a9c810666186d65b5f708e4a63525f9fd020fb9f8f0b
Instruction ID: d93694be262c9e8ed44af4c9063586b1403c0d27d66dee75f139c03a2fda30b2
Opcode Fuzzy Hash: 55bad5ad8b56ebe87b46a9c810666186d65b5f708e4a63525f9fd020fb9f8f0b
Instruction Fuzzy Hash: 6C5149B1501609BFDB219F65C988AEB7BBCFF08754F00451AF946D6210DB74EA44DBA0

Function 008D856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 008D8592
GetFileSize.KERNEL32(00000000,00000000), ref: 008D85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 008D85AD
CloseHandle.KERNEL32(00000000), ref: 008D85BA
GlobalLock.KERNEL32(00000000), ref: 008D85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 008D85D7
GlobalUnlock.KERNEL32(00000000), ref: 008D85E0
CloseHandle.KERNEL32(00000000), ref: 008D85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 008D85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,008DFC38,?), ref: 008D8611
GlobalFree.KERNEL32(00000000), ref: 008D8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 008D8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 008D8671
DeleteObject.GDI32(00000000), ref: 008D8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008D86AF

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: eea1bd596fb32879178ee6efef16d4f18775a33d89772914885f92851a45591c
Instruction ID: 29e550f1e56988b2e7f8802db77ae66fdb9ab8943d92a98aac31b7c3f28b7969
Opcode Fuzzy Hash: eea1bd596fb32879178ee6efef16d4f18775a33d89772914885f92851a45591c
Instruction Fuzzy Hash: 69412975601209EFDB119FA5DC48EAE7BBCFF99711F10425AF90AE7260DB309901DB20

Function 008B14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 008B1502
VariantCopy.OLEAUT32(?,?), ref: 008B150B
VariantClear.OLEAUT32(?), ref: 008B1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008B15FB
VarR8FromDec.OLEAUT32(?,?), ref: 008B1657
VariantInit.OLEAUT32(?), ref: 008B1708
SysFreeString.OLEAUT32(?), ref: 008B178C
VariantClear.OLEAUT32(?), ref: 008B17D8
VariantClear.OLEAUT32(?), ref: 008B17E7
VariantInit.OLEAUT32(00000000), ref: 008B1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 008B1625
Default, xrefs: 008B16AF

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 2da226da3abf0cf0dcd51a1c5baf3ad33e36d325b98e3ea4067e89ca2279a00c
Instruction ID: 1131d690202e0c4ebfb2f557b6f8bce279ed4e14da278f24511d99273edd1bd1
Opcode Fuzzy Hash: 2da226da3abf0cf0dcd51a1c5baf3ad33e36d325b98e3ea4067e89ca2279a00c
Instruction Fuzzy Hash: 9CD1E032A00109DBDF249F69E8A9BB9B7B5FF45704F908156E846EF281DB30DC44DB92

Function 008CB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Part of subcall function 008CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008CB6AE,?,?), ref: 008CC9B5
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CC9F1
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CCA68
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008CB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008CB772
RegDeleteValueW.ADVAPI32(?,?), ref: 008CB80A
RegCloseKey.ADVAPI32(?), ref: 008CB87E
RegCloseKey.ADVAPI32(?), ref: 008CB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 008CB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 008CB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 008CB922
FreeLibrary.KERNEL32(00000000), ref: 008CB983
RegCloseKey.ADVAPI32(00000000), ref: 008CB994

Strings

advapi32.dll, xrefs: 008CB8ED
RegDeleteKeyExW, xrefs: 008CB8FE

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: a54ba27d40e9f6422cdbc44d6954389c767f3deb9d48580e82330d36e39eba4f
Instruction ID: 54a38a21671937f6b5f3cc9f910889880195c0e63b2c8a5aaac37cff5f07be12
Opcode Fuzzy Hash: a54ba27d40e9f6422cdbc44d6954389c767f3deb9d48580e82330d36e39eba4f
Instruction Fuzzy Hash: 51C17930209601AFD714DF28C495F2ABBF5FF84318F14855CE49A8B2A2DB75EC49CB92

Function 008C255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008C25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008C25E8
CreateCompatibleDC.GDI32(?), ref: 008C25F4
SelectObject.GDI32(00000000,?), ref: 008C2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 008C266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008C26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008C26D0
SelectObject.GDI32(?,?), ref: 008C26D8
DeleteObject.GDI32(?), ref: 008C26E1
DeleteDC.GDI32(?), ref: 008C26E8
ReleaseDC.USER32(00000000,?), ref: 008C26F3

Strings

(, xrefs: 008C268D

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 0ce4511bae62c5a60c44008439b21ab2cd0d8ad59eb43c558b0be3e067b136b6
Instruction ID: 5d663a600488dba8512b5a7ccb0013eea10f8de3dfbf15fa8c882a1e63acbb5d
Opcode Fuzzy Hash: 0ce4511bae62c5a60c44008439b21ab2cd0d8ad59eb43c558b0be3e067b136b6
Instruction Fuzzy Hash: 1E61C275D0121AEFCF04CFA8D885EAEBBB5FF48310F24852AE955A7250D770A951CF60

Function 0087DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0087DAA1

Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D659
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D66B
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D67D
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D68F
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D6A1
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D6B3
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D6C5
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D6D7
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D6E9
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D6FB
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D70D
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D71F
Part of subcall function 0087D63C: _free.LIBCMT ref: 0087D731

_free.LIBCMT ref: 0087DA96

Part of subcall function 008729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000), ref: 008729DE
Part of subcall function 008729C8: GetLastError.KERNEL32(00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000,00000000), ref: 008729F0

_free.LIBCMT ref: 0087DAB8
_free.LIBCMT ref: 0087DACD
_free.LIBCMT ref: 0087DAD8
_free.LIBCMT ref: 0087DAFA
_free.LIBCMT ref: 0087DB0D
_free.LIBCMT ref: 0087DB1B
_free.LIBCMT ref: 0087DB26
_free.LIBCMT ref: 0087DB5E
_free.LIBCMT ref: 0087DB65
_free.LIBCMT ref: 0087DB82
_free.LIBCMT ref: 0087DB9A

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 98a6161c5445293e89a8e2cef950712664300a415c2a0bf3fc90ddac8b02adb0
Instruction ID: 2b41d844a7ee6b90ef762f912f2a6f6013db3eaaab890f664e01e7c68b2bbce2
Opcode Fuzzy Hash: 98a6161c5445293e89a8e2cef950712664300a415c2a0bf3fc90ddac8b02adb0
Instruction Fuzzy Hash: 15314A326043059FEB21AA39E845F5ABBF9FF00320F15C419E54DD7199DB31EC808721

Function 008A365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 008A369C
_wcslen.LIBCMT ref: 008A36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 008A3797
GetClassNameW.USER32(?,?,00000400), ref: 008A380C
GetDlgCtrlID.USER32(?), ref: 008A385D
GetWindowRect.USER32(?,?), ref: 008A3882
GetParent.USER32(?), ref: 008A38A0
ScreenToClient.USER32(00000000), ref: 008A38A7
GetClassNameW.USER32(?,?,00000100), ref: 008A3921
GetWindowTextW.USER32(?,?,00000400), ref: 008A395D

Strings

%s%u, xrefs: 008A3734

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 80bf9f8596ca8986846bd66b68fdd034159b0c01a76a19f9ff95719c5c075f57
Instruction ID: 828641b1f1895c2367303c0273347225cff4d67456d78e267ed77b6cc0a3d719
Opcode Fuzzy Hash: 80bf9f8596ca8986846bd66b68fdd034159b0c01a76a19f9ff95719c5c075f57
Instruction Fuzzy Hash: FC91C371204706AFE719DF24C885FABF7A8FF46350F008629F999C2590EB34EA45CB91

Function 008A4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 008A4994
GetWindowTextW.USER32(?,?,00000400), ref: 008A49DA
_wcslen.LIBCMT ref: 008A49EB
CharUpperBuffW.USER32(?,00000000), ref: 008A49F7
_wcsstr.LIBVCRUNTIME ref: 008A4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 008A4A64
GetWindowTextW.USER32(?,?,00000400), ref: 008A4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 008A4AE6
GetClassNameW.USER32(?,?,00000400), ref: 008A4B20
GetWindowRect.USER32(?,?), ref: 008A4B8B

Strings

ThumbnailClass, xrefs: 008A4A6F, 008A4AF1

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: f9d7ccbdd5e085c5e6993cd0a88a89999e606fd0736477a283f490f0a6ba1f47
Instruction ID: ccf57c1e1a99c59b79170454c56474e6c2e39287f620faa52e393777698af651
Opcode Fuzzy Hash: f9d7ccbdd5e085c5e6993cd0a88a89999e606fd0736477a283f490f0a6ba1f47
Instruction Fuzzy Hash: 0991E0710042059FEF04CF54D881BAA77E8FF85324F04946AFD85DA496EB70ED46CBA2

Function 008ABF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00911990,000000FF,00000000,00000030), ref: 008ABFAC
SetMenuItemInfoW.USER32(00911990,00000004,00000000,00000030), ref: 008ABFE1
Sleep.KERNEL32(000001F4), ref: 008ABFF3
GetMenuItemCount.USER32(?), ref: 008AC039
GetMenuItemID.USER32(?,00000000), ref: 008AC056
GetMenuItemID.USER32(?,-00000001), ref: 008AC082
GetMenuItemID.USER32(?,?), ref: 008AC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008AC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008AC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008AC145

Strings

0, xrefs: 008ABF3D

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 0782d6ff3167128ad2bf419b42bc7250f048a2363614c516cdb3205eb62ad75b
Instruction ID: c6f3f573e632027ddf304e25938f527d9eb2c052926190e8855380d1a066e5fe
Opcode Fuzzy Hash: 0782d6ff3167128ad2bf419b42bc7250f048a2363614c516cdb3205eb62ad75b
Instruction Fuzzy Hash: E661ADB0A0064AEFEF11CF68DD88AEEBBB8FB06344F044155E911E3692C731AD05CB61

Function 008CCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 008CCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 008CCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 008CCD48

Part of subcall function 008CCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 008CCCAA
Part of subcall function 008CCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 008CCCBD
Part of subcall function 008CCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 008CCCCF
Part of subcall function 008CCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 008CCD05
Part of subcall function 008CCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 008CCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 008CCCF3

Strings

advapi32.dll, xrefs: 008CCCB8
RegDeleteKeyExW, xrefs: 008CCCC9

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 8414c090c6aeb30d4dc546b8effbe2ea88540b7bfddd95f6c7c4fe2819c8ef8e
Instruction ID: ef70d1fb8cf6b13b4f6ae15cc77223bdd4f1b67571bd4e68c822935c08d37681
Opcode Fuzzy Hash: 8414c090c6aeb30d4dc546b8effbe2ea88540b7bfddd95f6c7c4fe2819c8ef8e
Instruction Fuzzy Hash: E931617190212ABBDB208B55DC88EFFBB7CFF55754F004269F90AE2140DB349E45DAA0

Function 008B3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008B3D40
_wcslen.LIBCMT ref: 008B3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 008B3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 008B3DBE
RemoveDirectoryW.KERNEL32(?), ref: 008B3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 008B3E55
CloseHandle.KERNEL32(00000000), ref: 008B3E60
CloseHandle.KERNEL32(00000000), ref: 008B3E6B

Strings

\, xrefs: 008B3D77
\??\%s, xrefs: 008B3D5B
:, xrefs: 008B3D82

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: a0e5a79293410ac7893676179f8c8915b67a57c0dfe0cc59e29015afa0d476b5
Instruction ID: fae79b8ef1f0e40df60fdf2da0a4eca908424cffb68103f3ea86672a70eb9bf0
Opcode Fuzzy Hash: a0e5a79293410ac7893676179f8c8915b67a57c0dfe0cc59e29015afa0d476b5
Instruction Fuzzy Hash: 8B31A17194021AABDB209BA4DC49FEF77BCFF88700F5441A6F609D6260EB709744CB24

Function 008AE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 008AE6B4

Part of subcall function 0085E551: timeGetTime.WINMM(?,?,008AE6D4), ref: 0085E555

Sleep.KERNEL32(0000000A), ref: 008AE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 008AE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 008AE727
SetActiveWindow.USER32 ref: 008AE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008AE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 008AE773
Sleep.KERNEL32(000000FA), ref: 008AE77E
IsWindow.USER32 ref: 008AE78A
EndDialog.USER32(00000000), ref: 008AE79B

Strings

BUTTON, xrefs: 008AE719

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 7a8ec4e9642fcd7fff2e3f1cf92d747dda1d2666756a797169eb2a040d876c2c
Instruction ID: 3cacc0b14a408c1908dca9911d175c725150d774e19f1eb4d0fd64716b0e21a1
Opcode Fuzzy Hash: 7a8ec4e9642fcd7fff2e3f1cf92d747dda1d2666756a797169eb2a040d876c2c
Instruction Fuzzy Hash: 88219370314206BFFB106F64EC89B693B69F7A6389F104926F512C25E1DB71AC10EA25

Function 008AE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008AEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008AEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008AEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 008AEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 008AEAA7

Strings

close PlayMe, xrefs: 008AEA6E, 008AEA9B
alias PlayMe, xrefs: 008AEA36
play PlayMe wait, xrefs: 008AEA91
open , xrefs: 008AEA0C
play PlayMe, xrefs: 008AEAA2
status PlayMe mode, xrefs: 008AEA58

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 7c5febde9c68926274dd1ef1c0a5f678f0338cd5c21d75d9b139d94eb58698ea
Instruction ID: 13dec9f0f15da7f13d9d480ef2b0b1be7a764adf4574ca0ecbcef1878e2f5f65
Opcode Fuzzy Hash: 7c5febde9c68926274dd1ef1c0a5f678f0338cd5c21d75d9b139d94eb58698ea
Instruction Fuzzy Hash: 2011543169026D7DE720A765DC4AEFF6ABCFBE2B44F000425B411E24D1DF701915C5B1

Function 008A9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008AA012
SetKeyboardState.USER32(?), ref: 008AA07D
GetAsyncKeyState.USER32(000000A0), ref: 008AA09D
GetKeyState.USER32(000000A0), ref: 008AA0B4
GetAsyncKeyState.USER32(000000A1), ref: 008AA0E3
GetKeyState.USER32(000000A1), ref: 008AA0F4
GetAsyncKeyState.USER32(00000011), ref: 008AA120
GetKeyState.USER32(00000011), ref: 008AA12E
GetAsyncKeyState.USER32(00000012), ref: 008AA157
GetKeyState.USER32(00000012), ref: 008AA165
GetAsyncKeyState.USER32(0000005B), ref: 008AA18E
GetKeyState.USER32(0000005B), ref: 008AA19C

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c9fd775157c2eeae1462c5db0ae122bb5c7a2ada1a51d9eaec1ad32191461118
Instruction ID: c13b61c4ed486d8a3f770ac08d02e2c130dda8848ece0f1a9792a4013ebb1942
Opcode Fuzzy Hash: c9fd775157c2eeae1462c5db0ae122bb5c7a2ada1a51d9eaec1ad32191461118
Instruction Fuzzy Hash: 1E51A82050878869FB39DB648411BAABFB5FF13340F08459AD5C2D7DC2DB549A4CC763

Function 008A5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 008A5CE2
GetWindowRect.USER32(00000000,?), ref: 008A5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 008A5D59
GetDlgItem.USER32(?,00000002), ref: 008A5D69
GetWindowRect.USER32(00000000,?), ref: 008A5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 008A5DCF
GetDlgItem.USER32(?,000003E9), ref: 008A5DDD
GetWindowRect.USER32(00000000,?), ref: 008A5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 008A5E31
GetDlgItem.USER32(?,000003EA), ref: 008A5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 008A5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 008A5E67

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: d7037e6c631d688b3413d75c4a19c7811fbfd757342b5ac6312fa73bd930b2f2
Instruction ID: e58ad84007ee46f6e4994f4c233d015f1ad2d4e5f59750a6e307bb5c545dcb81
Opcode Fuzzy Hash: d7037e6c631d688b3413d75c4a19c7811fbfd757342b5ac6312fa73bd930b2f2
Instruction Fuzzy Hash: 57511071B0060AAFDF18CF68DD89AAEBBB5FB59310F148229F515E7690D7709E40CB50

Function 00858BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00858F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00858BE8,?,00000000,?,?,?,?,00858BBA,00000000,?), ref: 00858FC5

DestroyWindow.USER32(?), ref: 00858C81
KillTimer.USER32(00000000,?,?,?,?,00858BBA,00000000,?), ref: 00858D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00896973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00858BBA,00000000,?), ref: 008969A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00858BBA,00000000,?), ref: 008969B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00858BBA,00000000), ref: 008969D4
DeleteObject.GDI32(00000000), ref: 008969E6

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 5ed40156059299695e61f72eb86decc283b4ecf3a6338c90becdd1a226e8461a
Instruction ID: 1d3b0a9da62012b80297bbce1a4e00b5479a1948601c5b37710bf63bda90c7d7
Opcode Fuzzy Hash: 5ed40156059299695e61f72eb86decc283b4ecf3a6338c90becdd1a226e8461a
Instruction Fuzzy Hash: B161AA30216615EFCF25AF18D948B6977F1FB40327F14861AE543EA560CB31AC98DB90

Function 00859838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00859944: GetWindowLongW.USER32(?,000000EB), ref: 00859952

GetSysColor.USER32(0000000F), ref: 00859862

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: e59f03ff11ad60284dead44c0d5859ad9cfad8eb7599fd4bdb296cba96895e16
Instruction ID: 61b4574b132fa716515c0b5847a8d9ece8e66a2c8e7a1d143deeb3752b3fcd86
Opcode Fuzzy Hash: e59f03ff11ad60284dead44c0d5859ad9cfad8eb7599fd4bdb296cba96895e16
Instruction Fuzzy Hash: 08418E31105655EFDF205F389C88BB93BA5FB06332F184666E9E2CB2E1D7319845DB10

Function 008A96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0088F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 008A9717
LoadStringW.USER32(00000000,?,0088F7F8,00000001), ref: 008A9720

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0088F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 008A9742
LoadStringW.USER32(00000000,?,0088F7F8,00000001), ref: 008A9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 008A9866

Strings

Error: , xrefs: 008A981D
%s (%d) : ==> %s: %s %s, xrefs: 008A984A
Line %d (File "%s"):, xrefs: 008A978F
^ ERROR, xrefs: 008A97FB
Line %d:, xrefs: 008A97A0

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 58fb87bce6c9f2a29941990c8b3db593d663cabf817e5e999feefedf46f42e9e
Instruction ID: a7ac225106a8e7ac2e130624796eeb057b96302a8753bc3d5fcbf3846168e779
Opcode Fuzzy Hash: 58fb87bce6c9f2a29941990c8b3db593d663cabf817e5e999feefedf46f42e9e
Instruction Fuzzy Hash: 2A41387280421DAADF14EBE8DD86DEEB778FF55340F500025F601B2092EB256F48CAA2

Function 008A06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00846B57: _wcslen.LIBCMT ref: 00846B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008A07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008A07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008A07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 008A0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 008A082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008A0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008A083C

Strings

\CLSID, xrefs: 008A0724
\IPC$, xrefs: 008A0784
SOFTWARE\Classes\, xrefs: 008A070E

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 092be5fc7ec4b7cad76f50841915c506ad02ccd80f77c38c7a2b26e871d2d8d7
Instruction ID: 740bf2d02190599369a47a9ca6f59fcf92dee3efb7e6b17f02ecd6c01195a343
Opcode Fuzzy Hash: 092be5fc7ec4b7cad76f50841915c506ad02ccd80f77c38c7a2b26e871d2d8d7
Instruction Fuzzy Hash: D841D572C1122DABDF25EBA8DC958EEB778FF44350F454129E911A71A1EB309E04CFA1

Function 008D3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 008D403B
CreateCompatibleDC.GDI32(00000000), ref: 008D4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 008D4055
SelectObject.GDI32(00000000,00000000), ref: 008D405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 008D4068
DeleteDC.GDI32(00000000), ref: 008D4072
GetWindowLongW.USER32(?,000000EC), ref: 008D407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 008D4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 008D409E

Strings

static, xrefs: 008D3FD3

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: f819e84434f076994c59f5f74659f4221e936b313ab6ef947b338d9a08f9205a
Instruction ID: 923c70aee82cf8c6d6c6be072f98cf26e8862fb6ea0b6229575522155635ad79
Opcode Fuzzy Hash: f819e84434f076994c59f5f74659f4221e936b313ab6ef947b338d9a08f9205a
Instruction Fuzzy Hash: 7031693214121AABDF219FA8DC09FDA3B68FF09320F000312FA15E62A0DB75D820DB50

Function 008C3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008C3C5C
CoInitialize.OLE32(00000000), ref: 008C3C8A
CoUninitialize.OLE32 ref: 008C3C94
_wcslen.LIBCMT ref: 008C3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 008C3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 008C3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 008C3F0E
CoGetObject.OLE32(?,00000000,008DFB98,?), ref: 008C3F2D
SetErrorMode.KERNEL32(00000000), ref: 008C3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 008C3FC4
VariantClear.OLEAUT32(?), ref: 008C3FD8

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 1813b23f2555380da242ced43febe19f553c1a8dfe68b23723f5c18de2fb9e82
Instruction ID: 6c5ee310907c348bc61386d063b6547c3dc7bd980a22c5b572da453e361b5d62
Opcode Fuzzy Hash: 1813b23f2555380da242ced43febe19f553c1a8dfe68b23723f5c18de2fb9e82
Instruction Fuzzy Hash: 46C1F2716082059F9710DF68C884E2AB7F9FF89748F10891DF98ADB251DB31ED06CB52

Function 008B7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 008B7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 008B7B8F
SHGetDesktopFolder.SHELL32(?), ref: 008B7BA3
CoCreateInstance.OLE32(008DFD08,00000000,00000001,00906E6C,?), ref: 008B7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 008B7C74
CoTaskMemFree.OLE32(?,?), ref: 008B7CCC
SHBrowseForFolderW.SHELL32(?), ref: 008B7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 008B7D7A
CoTaskMemFree.OLE32(00000000), ref: 008B7D81
CoTaskMemFree.OLE32(00000000), ref: 008B7DD6
CoUninitialize.OLE32 ref: 008B7DDC

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 0597afe60bb4e973b2b8f107dcbbc63dbaaf1cb209a32be35928a6779e5dcede
Instruction ID: 5f18c31c7fc71a2aa466dc84b86ffbb585d5a400c48085814e33f85576416cf1
Opcode Fuzzy Hash: 0597afe60bb4e973b2b8f107dcbbc63dbaaf1cb209a32be35928a6779e5dcede
Instruction Fuzzy Hash: 7EC12B75A04209AFCB14DFA8C894DAEBBF9FF48314B1485A9E819DB361D730ED45CB90

Function 008D541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 008D5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008D5515
CharNextW.USER32(00000158), ref: 008D5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 008D5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 008D559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008D55AC

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: b957289f2645fdb10334a5f78d10670171fc79588db0cf69060f08e522b3854c
Instruction ID: a22ad5cacd8214450eec3bfb2433836489bcb136d67f59c3c2ad0b8a85d1471a
Opcode Fuzzy Hash: b957289f2645fdb10334a5f78d10670171fc79588db0cf69060f08e522b3854c
Instruction Fuzzy Hash: 11617B70905609ABDF109F94DC84EFE7BB9FB09764F10824BF925EA390D7708A80DB61

Function 0089FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0089FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0089FB08
VariantInit.OLEAUT32(?), ref: 0089FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0089FB3A
VariantCopy.OLEAUT32(?,?), ref: 0089FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0089FBA1
VariantClear.OLEAUT32(?), ref: 0089FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0089FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0089FBCC
VariantClear.OLEAUT32(?), ref: 0089FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0089FBE9

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a79da92eec648a562c4a6933f3c2dc38b904f1063b60f1b07ebf9efa443360be
Instruction ID: b4269d0bdf63f3f8763908abc0868826a6fd443991d2f9c97436c61b7a84a95b
Opcode Fuzzy Hash: a79da92eec648a562c4a6933f3c2dc38b904f1063b60f1b07ebf9efa443360be
Instruction Fuzzy Hash: 26416035A0021A9FCF04EF68CC549AEBBB9FF08354F048169E945E7262CB70A945CF91

Function 008A9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008A9CA1
GetAsyncKeyState.USER32(000000A0), ref: 008A9D22
GetKeyState.USER32(000000A0), ref: 008A9D3D
GetAsyncKeyState.USER32(000000A1), ref: 008A9D57
GetKeyState.USER32(000000A1), ref: 008A9D6C
GetAsyncKeyState.USER32(00000011), ref: 008A9D84
GetKeyState.USER32(00000011), ref: 008A9D96
GetAsyncKeyState.USER32(00000012), ref: 008A9DAE
GetKeyState.USER32(00000012), ref: 008A9DC0
GetAsyncKeyState.USER32(0000005B), ref: 008A9DD8
GetKeyState.USER32(0000005B), ref: 008A9DEA

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e25a1447b115dd2bc5178ab9015a0663f3e0f6b45cd6f8e99669661d0afaa53e
Instruction ID: a6c7e8b577e5d9509161e46f0b6011774448a82253bf67597daddf4676846537
Opcode Fuzzy Hash: e25a1447b115dd2bc5178ab9015a0663f3e0f6b45cd6f8e99669661d0afaa53e
Instruction Fuzzy Hash: 6E41D63450CBCA6DFF30866488443B5BFA0FF13354F04815ADAC6969C2EBE499C8C7A2

Function 008C055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008C05BC
inet_addr.WSOCK32(?), ref: 008C061C
gethostbyname.WSOCK32(?), ref: 008C0628
IcmpCreateFile.IPHLPAPI ref: 008C0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008C06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008C06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008C07B9
WSACleanup.WSOCK32 ref: 008C07BF

Strings

Ping, xrefs: 008C0676

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 46eaec1559bb603e28264939af2b941a8bf51cea0250c682e75893faad2687d3
Instruction ID: 298b12881c8d89968a37bf2b102c994aef281b50dfbd1def57a26ecca499969e
Opcode Fuzzy Hash: 46eaec1559bb603e28264939af2b941a8bf51cea0250c682e75893faad2687d3
Instruction Fuzzy Hash: 34914435608201DFD724CF19C889F1ABBE0FB44358F1486A9E469DB6A2C731ED45CF82

Function 008C8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 008C8CF3

Part of subcall function 008A8E54: _wcslen.LIBCMT ref: 008A8E77

_wcslen.LIBCMT ref: 008C8D4E
_wcslen.LIBCMT ref: 008C8D9C
_wcslen.LIBCMT ref: 008C8DDC
_wcslen.LIBCMT ref: 008C8E6E

Strings

none, xrefs: 008C8E65, 008C8E6A
winapi, xrefs: 008C8D96, 008C8D9B
cdecl, xrefs: 008C8D48, 008C8D4D
stdcall, xrefs: 008C8DD6, 008C8DDB

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 1b905459adcc64ae28b525faac0e700a66e83b9fb17156a8bc6021a77b095286
Instruction ID: 59b640f7b6a3ff85d06e528e8ce453ae3d0b8982b8b5f63d7c2aa338f6c8d3b2
Opcode Fuzzy Hash: 1b905459adcc64ae28b525faac0e700a66e83b9fb17156a8bc6021a77b095286
Instruction Fuzzy Hash: 75518D32A4011ADACB24DF6CC940ABEB7B5FF64324B21422DE526E72C5DB31DD40C791

Function 008C372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 008C3774
CoUninitialize.OLE32 ref: 008C377F
CoCreateInstance.OLE32(?,00000000,00000017,008DFB78,?), ref: 008C37D9
IIDFromString.OLE32(?,?), ref: 008C384C
VariantInit.OLEAUT32(?), ref: 008C38E4
VariantClear.OLEAUT32(?), ref: 008C3936

Strings

Invalid parameter, xrefs: 008C3865
Failed to create object, xrefs: 008C37E4, 008C389A
NULL Pointer assignment, xrefs: 008C381E

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: e8fe5bffe05caca01360a75954a30b394a23c4c0269adf949cd69e74a0d82e9b
Instruction ID: 1aa0cb1fab19e59214e6c622c8ce2ef8e3f7fe6cdcfa4f42eddb52850b3c5c3c
Opcode Fuzzy Hash: e8fe5bffe05caca01360a75954a30b394a23c4c0269adf949cd69e74a0d82e9b
Instruction Fuzzy Hash: 41614770608211AFD210DF58C889F6ABBF4FF89715F10892DF985DB291D770EA49CB92

Function 008B3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008B33CF

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008B33F0

Strings

Error: , xrefs: 008B34D1
^ ERROR , xrefs: 008B349E
"%s" (%d) : ==> %s:%s%s, xrefs: 008B3504
"%s" (%d) : ==> %s:, xrefs: 008B3522
Line %d (File "%s"):, xrefs: 008B3443, 008B345C
Incorrect parameters to object property !, xrefs: 008B34AB

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 922a0e94e5822fc02a29bf8aad7720466e94b5cf71f479c120b9446adbb04c56
Instruction ID: 847a40db25ca0b1047ee04b5cb19ce6da0753ae8c58d1f95f8da955d9d208cc8
Opcode Fuzzy Hash: 922a0e94e5822fc02a29bf8aad7720466e94b5cf71f479c120b9446adbb04c56
Instruction Fuzzy Hash: E4518D32904209AADF25EBA8DD46EEEB778FF14344F104165F505B21A2EB312F58DB62

Function 008AB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008AB5FC
_wcslen.LIBCMT ref: 008AB608
_wcslen.LIBCMT ref: 008AB64D
_wcslen.LIBCMT ref: 008AB68C
_wcslen.LIBCMT ref: 008AB6C7

Strings

REMOVE, xrefs: 008AB602, 008AB607
APPEND, xrefs: 008AB6C1, 008AB6C6
EXISTS, xrefs: 008AB686, 008AB68B
KEYS, xrefs: 008AB647, 008AB64C

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 6103eeb87174dcbc1f1cf923235782593bfe6b38f4b024862b27d29d42208199
Instruction ID: c96ca53716d39b63c76aaee2e71143414cff1acaec7e7adadc789370de305192
Opcode Fuzzy Hash: 6103eeb87174dcbc1f1cf923235782593bfe6b38f4b024862b27d29d42208199
Instruction Fuzzy Hash: BC41D832A001279BDB205F7DC8905BE7BA5FF72754B254129E461DB686F731CD81C790

Function 008B5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008B53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 008B5416
GetLastError.KERNEL32 ref: 008B5420
SetErrorMode.KERNEL32(00000000,READY), ref: 008B54A7

Strings

UNKNOWN, xrefs: 008B5444
READONLY, xrefs: 008B5452
NOTREADY, xrefs: 008B544B
READY, xrefs: 008B5460, 008B5468
INVALID, xrefs: 008B5459

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: faa4e9ff7b4bbe5d5bdb6ac583fd2844eeb98ccdf2adaca2caf66b57726802cc
Instruction ID: 2ba5560bd1cb98f6e5f57d4f47c98c471ef58a35c2d8dafd0c86297ce7e89f46
Opcode Fuzzy Hash: faa4e9ff7b4bbe5d5bdb6ac583fd2844eeb98ccdf2adaca2caf66b57726802cc
Instruction Fuzzy Hash: 8A316DB5A006099FDB10DF68C884BEABBB4FB45309F148069E505DB392DB71ED86CB91

Function 008D3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 008D3C79
SetMenu.USER32(?,00000000), ref: 008D3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008D3D10
IsMenu.USER32(?), ref: 008D3D24
CreatePopupMenu.USER32 ref: 008D3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008D3D5B
DrawMenuBar.USER32 ref: 008D3D63

Strings

F, xrefs: 008D3D4E
0, xrefs: 008D3C54

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 495e8f62849767e317694afe24e54f24ed4a51a909630b9af80d444688ff2750
Instruction ID: 050d9d36c7b3b95d5aa21a234fc6cdb727357944f5383f6a57897cb6efb03847
Opcode Fuzzy Hash: 495e8f62849767e317694afe24e54f24ed4a51a909630b9af80d444688ff2750
Instruction Fuzzy Hash: 21415D75A0120AEFDB14CF64E844ADA7BB6FF49350F14022AF946D7360D730AA10CF55

Function 008A1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Part of subcall function 008A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008A3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 008A1F64
GetDlgCtrlID.USER32 ref: 008A1F6F
GetParent.USER32 ref: 008A1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 008A1F8E
GetDlgCtrlID.USER32(?), ref: 008A1F97
GetParent.USER32(?), ref: 008A1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 008A1FAE

Strings

ListBox, xrefs: 008A1F21
ComboBox, xrefs: 008A1EEC

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 2b3ab5c59aa3afe65c22a6b3675249f623f696bfb1d2381894b0b664a8976043
Instruction ID: 9715a40296ecbaad9c0dfc819a741bcfaa407a173edad5756da5a0d891e0bab0
Opcode Fuzzy Hash: 2b3ab5c59aa3afe65c22a6b3675249f623f696bfb1d2381894b0b664a8976043
Instruction Fuzzy Hash: A821B074A00218BFDF14AFA4DC899EEBBB8FF16310F00021AF961A72D1DB349904DB60

Function 008A1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Part of subcall function 008A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008A3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 008A2043
GetDlgCtrlID.USER32 ref: 008A204E
GetParent.USER32 ref: 008A206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 008A206D
GetDlgCtrlID.USER32(?), ref: 008A2076
GetParent.USER32(?), ref: 008A208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 008A208D

Strings

ListBox, xrefs: 008A2002
ComboBox, xrefs: 008A1FCD

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: d29e69df5ab67976570337a0bce4523c508f0aad2870c0222e54de47b11d5083
Instruction ID: 89f8cc53e82bfe01818622d821f44627228d500d80e76fae08960a13dcf4a9fc
Opcode Fuzzy Hash: d29e69df5ab67976570337a0bce4523c508f0aad2870c0222e54de47b11d5083
Instruction Fuzzy Hash: 4C21CF75900218BBDF20AFA8DC85EEEBBB8FF16300F000116F991E71A1DA759914DB60

Function 008D3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 008D3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 008D3AA0
GetWindowLongW.USER32(?,000000F0), ref: 008D3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008D3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 008D3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 008D3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 008D3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 008D3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 008D3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 008D3C13

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: e965432250b32f38ff7da921e221732e819225790b29c079943ddf48bfb80e78
Instruction ID: faf0c670bc959bf80dc60981b616d7e31dcb6feb6db338a78425298ac8bd5ee3
Opcode Fuzzy Hash: e965432250b32f38ff7da921e221732e819225790b29c079943ddf48bfb80e78
Instruction Fuzzy Hash: FF616775A00208AFDB11DFA8CC81EEE77B8FB09714F10429AFA15E73A1D770AA41DB51

Function 008AB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008AB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,008AA1E1,?,00000001), ref: 008AB165
GetWindowThreadProcessId.USER32(00000000), ref: 008AB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008AA1E1,?,00000001), ref: 008AB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 008AB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,008AA1E1,?,00000001), ref: 008AB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008AA1E1,?,00000001), ref: 008AB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,008AA1E1,?,00000001), ref: 008AB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,008AA1E1,?,00000001), ref: 008AB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,008AA1E1,?,00000001), ref: 008AB21D

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 680726f49fb2ed49cc779050cf9d318d728fc2dd7961a0e40b0089118d4e18f3
Instruction ID: adba5d89f543e4c83764e0f78a3de1c737ef59f70cd39f627ed7701db9e718e5
Opcode Fuzzy Hash: 680726f49fb2ed49cc779050cf9d318d728fc2dd7961a0e40b0089118d4e18f3
Instruction Fuzzy Hash: A431CAB1614204BFEB109F64EC48BAE7BB9FB6A391F10C10AFA01D6591D7B49E00CF60

Function 00872C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00872C94

Part of subcall function 008729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000), ref: 008729DE
Part of subcall function 008729C8: GetLastError.KERNEL32(00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000,00000000), ref: 008729F0

_free.LIBCMT ref: 00872CA0
_free.LIBCMT ref: 00872CAB
_free.LIBCMT ref: 00872CB6
_free.LIBCMT ref: 00872CC1
_free.LIBCMT ref: 00872CCC
_free.LIBCMT ref: 00872CD7
_free.LIBCMT ref: 00872CE2
_free.LIBCMT ref: 00872CED
_free.LIBCMT ref: 00872CFB

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cfda6540b0ee83bd137e8d19446c1050a0302bcb4392d3b8a864237ab2cc2905
Instruction ID: 0c45bff4b7dada50b2efb0301225feb353b5827db597665632d0c9b7bb4db4d7
Opcode Fuzzy Hash: cfda6540b0ee83bd137e8d19446c1050a0302bcb4392d3b8a864237ab2cc2905
Instruction Fuzzy Hash: EE119676100108AFCB02EF68D842EDD7FA5FF05350F4584A5FA4C9B226D631EA909B91

Function 008B7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008B7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 008B7FC1
GetFileAttributesW.KERNEL32(?), ref: 008B7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 008B8005
SetCurrentDirectoryW.KERNEL32(?), ref: 008B8017
SetCurrentDirectoryW.KERNEL32(?), ref: 008B8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008B80B0

Strings

*.*, xrefs: 008B8066

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: b0d07af10969c70e376c7b22b347b4c8cf9c21707c6cbca702d4d80f33f32b46
Instruction ID: e14083a7dc475529c3ebcdccf15c42e20c5afc9188b0f880b6b8ba94638df4f4
Opcode Fuzzy Hash: b0d07af10969c70e376c7b22b347b4c8cf9c21707c6cbca702d4d80f33f32b46
Instruction Fuzzy Hash: 3E818C725083459BCB20EF18C844AAAB7E8FFC8754F14486AF895DB350EB35ED49CB52

Function 00845BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00845C7A

Part of subcall function 00845D0A: GetClientRect.USER32(?,?), ref: 00845D30
Part of subcall function 00845D0A: GetWindowRect.USER32(?,?), ref: 00845D71
Part of subcall function 00845D0A: ScreenToClient.USER32(?,?), ref: 00845D99

GetDC.USER32 ref: 008846F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00884708
SelectObject.GDI32(00000000,00000000), ref: 00884716
SelectObject.GDI32(00000000,00000000), ref: 0088472B
ReleaseDC.USER32(?,00000000), ref: 00884733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008847C4

Strings

U, xrefs: 00884693

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 935ce9d613dd00ad50fda29a89593dfe474cf64cf4af3f59f62066212f4269b8
Instruction ID: 4623999427e862117658fd9204afacecf151039baa85cac56ab99ad2a0ab5c60
Opcode Fuzzy Hash: 935ce9d613dd00ad50fda29a89593dfe474cf64cf4af3f59f62066212f4269b8
Instruction Fuzzy Hash: D371FE3250020EDFCF21EF68C984ABA7BB1FF5A324F14526AE951DA2A6D7319841DF50

Function 008B359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008B35E4

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

LoadStringW.USER32(00912390,?,00000FFF,?), ref: 008B360A

Strings

Error: , xrefs: 008B36EF
"%s" (%d) : ==> %s:%s%s, xrefs: 008B3724
"%s" (%d) : ==> %s:, xrefs: 008B3742
Line %d (File "%s"):, xrefs: 008B366B
^ ERROR, xrefs: 008B36C9

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: a81a6128630c95a7565a8ae8140bf825ace6225d823a7f0bf5646b3b19ed028b
Instruction ID: d1a4458fbd6f6d18263d2a13afeb69632963d8cea696b6a3f45afcddfcfe9e0f
Opcode Fuzzy Hash: a81a6128630c95a7565a8ae8140bf825ace6225d823a7f0bf5646b3b19ed028b
Instruction Fuzzy Hash: 8C515F7190020DBADF14EBA4DC42EEEBB78FF15310F144125F515B22A2EB312B99DB62

Function 008BC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008BC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008BC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008BC2CA
GetLastError.KERNEL32 ref: 008BC322
SetEvent.KERNEL32(?), ref: 008BC336
InternetCloseHandle.WININET(00000000), ref: 008BC341

Strings

, xrefs: 008BC2BB

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 9b1a04a4ca0c6d48c0bf08c1bb1cfb5928a4a48325ab9dc0b185aac9dfd87038
Instruction ID: 842af0433118b69f16bd8d7098184e1daa522a52e30107a3df2ce5eaa18fea7c
Opcode Fuzzy Hash: 9b1a04a4ca0c6d48c0bf08c1bb1cfb5928a4a48325ab9dc0b185aac9dfd87038
Instruction Fuzzy Hash: 96317AB1601609AFD7219FA98C88AEB7BFCFB49744F54861EF486D2300DB34DD049BA1

Function 008A989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00883AAF,?,?,Bad directive syntax error,008DCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008A98BC
LoadStringW.USER32(00000000,?,00883AAF,?), ref: 008A98C3

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 008A9987

Strings

., xrefs: 008A996D
Line %d (File "%s"):, xrefs: 008A992D
%s (%d) : ==> %s.: %s %s, xrefs: 008A98F1
Line %d:, xrefs: 008A9912
Error: , xrefs: 008A9955

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: f623712e72cb76bf09bcfbf5f575f2d6fb6cf0afcfb79fe559fff5f4664a6e8a
Instruction ID: 5adbb07bd21a4994532b2c990d0d4216f3f0f63320df271e4490fb5f79a2e127
Opcode Fuzzy Hash: f623712e72cb76bf09bcfbf5f575f2d6fb6cf0afcfb79fe559fff5f4664a6e8a
Instruction Fuzzy Hash: A521803280421EFBDF15AF94DC0AEEE7779FF18304F04446AF515A60A2EB319628DB52

Function 008A209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008A20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008A20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008A214D

Strings

largeicons, xrefs: 008A20E1
list, xrefs: 008A212F
smallicons, xrefs: 008A2115
SHELLDLL_DefView, xrefs: 008A20CC
details, xrefs: 008A20FB

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: a3f94a916fea126180c963b89f071d0e21230440d9e2b943b1732059b02fe767
Instruction ID: 7b5fe0b14cc5b0d5c67aff91d0716e14b1fe3473f9bbf0ca63793b01aaa55de0
Opcode Fuzzy Hash: a3f94a916fea126180c963b89f071d0e21230440d9e2b943b1732059b02fe767
Instruction Fuzzy Hash: 69115C76284707B9FA21222CEC07DAB379CFF16328F21111AF704E44D1FE61BC415A14

Function 00878D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c7e6a96df10da6bb1d8cc5f28a2ac7091339732b0c8e8a23130b7874d81deb
Instruction ID: b5c7de41374e256a4d068db4019f2e061b1b9dd0b4a60169574354e83cb03968
Opcode Fuzzy Hash: 91c7e6a96df10da6bb1d8cc5f28a2ac7091339732b0c8e8a23130b7874d81deb
Instruction Fuzzy Hash: 32C1CD75A04249AFCB11DFACD845BADBBB0FF4A310F048199E958E7396CB70C941CB62

Function 0087CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0087CEB7
_free.LIBCMT ref: 0087CF22
_free.LIBCMT ref: 0087CF48
_free.LIBCMT ref: 0087CF71
_free.LIBCMT ref: 0087CFA9
_free.LIBCMT ref: 0087CFDA
_free.LIBCMT ref: 0087D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0087D09C
_free.LIBCMT ref: 0087D0B5

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: b20ed7ce64c943728ef23224f5957c95f1ec900ccfea6998bc52621d6438e704
Instruction ID: 8fd864c7a5b5ca430a621bcb43a3c2693b17a17aaa978b7556d19237c47e7953
Opcode Fuzzy Hash: b20ed7ce64c943728ef23224f5957c95f1ec900ccfea6998bc52621d6438e704
Instruction Fuzzy Hash: 15610771A047046BDB21AFB8A881BA97BA5FF05310F04C16EF94CD728ADBB2D941D751

Function 008D50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 008D5186
ShowWindow.USER32(?,00000000), ref: 008D51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 008D51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 008D51D1

Part of subcall function 008D6FBA: DeleteObject.GDI32(00000000), ref: 008D6FE6

GetWindowLongW.USER32(?,000000F0), ref: 008D520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008D521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 008D524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 008D5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 008D5296

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: d2a50910dbd725a7fb3c8517f562eb101632609fa575e219cc13265b9c4f5685
Instruction ID: 3162e8c7ff9de016a8d198a326c696c74ce9341eadc362f45fc77f47dfa6e2c3
Opcode Fuzzy Hash: d2a50910dbd725a7fb3c8517f562eb101632609fa575e219cc13265b9c4f5685
Instruction Fuzzy Hash: F5518E30A91A09BEEF209F28CC46BD93B75FB05365F148217FA25D63E0C775A988DB41

Function 00858B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00896890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008968A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008968B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008968D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008968F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00858874,00000000,00000000,00000000,000000FF,00000000), ref: 00896901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0089691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00858874,00000000,00000000,00000000,000000FF,00000000), ref: 0089692D

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 2bbc3725f17c5acc1fa0930173ae50d43efa1ceda2157ce9380bdaec360d2a5c
Instruction ID: 69e04138d8c651bb519dc26d4e6a6fac750a413141ca8c713e31dd53e2e1e5d9
Opcode Fuzzy Hash: 2bbc3725f17c5acc1fa0930173ae50d43efa1ceda2157ce9380bdaec360d2a5c
Instruction Fuzzy Hash: 33518970600209EFDB209F24CC51BAA7BBAFB48361F144619F952E62A0EB70E994DB41

Function 008BC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008BC182
GetLastError.KERNEL32 ref: 008BC195
SetEvent.KERNEL32(?), ref: 008BC1A9

Part of subcall function 008BC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008BC272
Part of subcall function 008BC253: GetLastError.KERNEL32 ref: 008BC322
Part of subcall function 008BC253: SetEvent.KERNEL32(?), ref: 008BC336
Part of subcall function 008BC253: InternetCloseHandle.WININET(00000000), ref: 008BC341

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 3fe5bb9505b62855bec05db7f9076bbe29ae2c843b7913666012001d9640af51
Instruction ID: e661c25c1638b671f6578533be6cf89fcab37f9994d1a169b769187250ce319f
Opcode Fuzzy Hash: 3fe5bb9505b62855bec05db7f9076bbe29ae2c843b7913666012001d9640af51
Instruction Fuzzy Hash: 93319C71201606AFDB219FA9DC44ABBBBF9FF58300B00452EF95AC6710DB30E814DBA0

Function 008A25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008A3A57
Part of subcall function 008A3A3D: GetCurrentThreadId.KERNEL32 ref: 008A3A5E
Part of subcall function 008A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008A25B3), ref: 008A3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008A25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008A25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008A25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008A25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 008A2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 008A2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 008A260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 008A2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 008A2627

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f7432e025b7802233e664b5e6709488633b0d14e5194bf36e9b59d2bb26baf23
Instruction ID: 57ac101d625ab1d88a12ab0c6b57b1d2ef6f6a9d30a0fc75e80c9ccc1a6847b1
Opcode Fuzzy Hash: f7432e025b7802233e664b5e6709488633b0d14e5194bf36e9b59d2bb26baf23
Instruction Fuzzy Hash: DE01B130690624BBFF2067689C8AF593F59FB5AB12F100106F318AE0D1C9E26444CA6A

Function 008A1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,008A1449,?,?,00000000), ref: 008A180C
HeapAlloc.KERNEL32(00000000,?,008A1449,?,?,00000000), ref: 008A1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008A1449,?,?,00000000), ref: 008A1828
GetCurrentProcess.KERNEL32(?,00000000,?,008A1449,?,?,00000000), ref: 008A1830
DuplicateHandle.KERNEL32(00000000,?,008A1449,?,?,00000000), ref: 008A1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008A1449,?,?,00000000), ref: 008A1843
GetCurrentProcess.KERNEL32(008A1449,00000000,?,008A1449,?,?,00000000), ref: 008A184B
DuplicateHandle.KERNEL32(00000000,?,008A1449,?,?,00000000), ref: 008A184E
CreateThread.KERNEL32(00000000,00000000,008A1874,00000000,00000000,00000000), ref: 008A1868

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 50c28cafa9333075d04638ae82a0695c36bd13bf72e291543e771de18e8d30f7
Instruction ID: d1bdacc3757dabd92a392a71a2f41a2c96b528ba6feb997a19782a2057fbf61e
Opcode Fuzzy Hash: 50c28cafa9333075d04638ae82a0695c36bd13bf72e291543e771de18e8d30f7
Instruction Fuzzy Hash: 6201BBB5281319BFEB10ABA5DC4DF6B7BACFB89B11F004511FA05DB2A1CA749800CB20

Function 008CA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 008AD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 008AD501
Part of subcall function 008AD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 008AD50F
Part of subcall function 008AD4DC: CloseHandle.KERNELBASE(00000000), ref: 008AD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 008CA16D
GetLastError.KERNEL32 ref: 008CA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 008CA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 008CA268
GetLastError.KERNEL32(00000000), ref: 008CA273
CloseHandle.KERNEL32(00000000), ref: 008CA2C4

Strings

SeDebugPrivilege, xrefs: 008CA18F

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b4e5a6088fdbb751cb49e3d26cd73341256d79aa602f902848d1ff237ff06094
Instruction ID: a0c524ff4b55c1ba106462a5e25de3597571e1c324cb31a728bcb3d1361f328a
Opcode Fuzzy Hash: b4e5a6088fdbb751cb49e3d26cd73341256d79aa602f902848d1ff237ff06094
Instruction Fuzzy Hash: 22618B702092569FD724DF18C494F16BBA5FF4431CF18848DE4668BBA2C776EC49CB92

Function 008D3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 008D3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 008D393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 008D3954
_wcslen.LIBCMT ref: 008D3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 008D39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008D39F4

Strings

SysListView32, xrefs: 008D38F7

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: e5285aa696935cebfd2a5da97a4aca79d04fcd2c369120114fda2ceb46c03ea9
Instruction ID: a9cbaf696b6ab13808b6a62f59d03f25d933539a8722c7b9b3ff48f2bbb3a5dc
Opcode Fuzzy Hash: e5285aa696935cebfd2a5da97a4aca79d04fcd2c369120114fda2ceb46c03ea9
Instruction Fuzzy Hash: 73418271A00219BBEF219F64CC45BEA7BA9FF08354F100626F958E7281D771D994CB91

Function 008ABC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008ABCFD
IsMenu.USER32(00000000), ref: 008ABD1D
CreatePopupMenu.USER32 ref: 008ABD53
GetMenuItemCount.USER32(00DD5580), ref: 008ABDA4
InsertMenuItemW.USER32(00DD5580,?,00000001,00000030), ref: 008ABDCC

Strings

0, xrefs: 008ABCA8
2, xrefs: 008ABD37

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: fec8c9c68c83954f8216eb04ad7cb2ccfa2e8a9285fe728ec3fdfa2536071aa3
Instruction ID: e05d6d42730bb1078c5f3446efb5bfad655b6c15988d91fe92f6d6bd4b519092
Opcode Fuzzy Hash: fec8c9c68c83954f8216eb04ad7cb2ccfa2e8a9285fe728ec3fdfa2536071aa3
Instruction Fuzzy Hash: 0C519E70A002099BEF10DFB8D884BAEBBF4FF46354F14425AE511EB692E7709D41CB62

Function 008AC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 008AC913

Strings

info, xrefs: 008AC8B4
stop, xrefs: 008AC8E4
question, xrefs: 008AC8CC
warning, xrefs: 008AC8FC
blank, xrefs: 008AC895

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 533311565f49e502fdb5463f924a6cc4d923e64c45a4e451acd6cd649fea67ee
Instruction ID: 55bee6b7ae9fba9d0d4b88616ec93744ca2edc4d8a623468847034684a6d94a7
Opcode Fuzzy Hash: 533311565f49e502fdb5463f924a6cc4d923e64c45a4e451acd6cd649fea67ee
Instruction Fuzzy Hash: 6211EB3668930ABEF7015B549C83DAF6BDCFF17759B14002EF500E66C2E7A45D005265

Function 008ADE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008ADE42
gethostname.WSOCK32(?,00000100), ref: 008ADE5C
gethostbyname.WSOCK32(?), ref: 008ADE69
inet_ntoa.WSOCK32(?), ref: 008ADEAB
_strcat.LIBCMT ref: 008ADEB9
WSACleanup.WSOCK32 ref: 008ADEDE

Strings

0.0.0.0, xrefs: 008ADE87

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 3b1a8837c349375fa10451e4818285910f307c263218dbb7133873420c0cd4ee
Instruction ID: d17e2ba3dacdd493acbaf02da1948d6c7966ab91b016c696274961bd568d7289
Opcode Fuzzy Hash: 3b1a8837c349375fa10451e4818285910f307c263218dbb7133873420c0cd4ee
Instruction Fuzzy Hash: 7C112C31904219AFDB206B78DC4AEDF77ACFF11711F01026AF556DA491EF718A81CA61

Function 008D9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

GetSystemMetrics.USER32(0000000F), ref: 008D9FC7
GetSystemMetrics.USER32(0000000F), ref: 008D9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 008DA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 008DA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 008DA263
ShowWindow.USER32(00000003,00000000), ref: 008DA282
InvalidateRect.USER32(?,00000000,00000001), ref: 008DA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 008DA2CA

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 33d3c8de713b79897cfae603a6073fe1983e5911aa5e6f117eef33ec2de2e37b
Instruction ID: bd46b1ebc44ab3de2bc06b54cb850d2cf939e9170f973e1e87c11391b075815b
Opcode Fuzzy Hash: 33d3c8de713b79897cfae603a6073fe1983e5911aa5e6f117eef33ec2de2e37b
Instruction Fuzzy Hash: 66B16831600219EFDF18CF69C9857AE7BB2FF44711F28826AEC45DB295DB31A940CB51

Function 008AED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 008AED2A
_wcslen.LIBCMT ref: 008AED3B
_wcslen.LIBCMT ref: 008AED79
_wcslen.LIBCMT ref: 008AEDAF
_wcslen.LIBCMT ref: 008AEDDF
_wcslen.LIBCMT ref: 008AEDEF
_wcslen.LIBCMT ref: 008AEE2B
_wcslen.LIBCMT ref: 008AEE5A

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 4215f8de3f843c545e4c2a1b7b989161352452cb2d4723ef3389586711f44ddf
Instruction ID: 2b160c2105deb88602216fdef3ed7b4d70f6c6d85ea371dae3e00088477ee753
Opcode Fuzzy Hash: 4215f8de3f843c545e4c2a1b7b989161352452cb2d4723ef3389586711f44ddf
Instruction Fuzzy Hash: B441C365D1021875DB11EBF8CC8A9CFB7A8FF46310F518862E518E3621FB34E255C3A6

Function 0085F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0089682C,00000004,00000000,00000000), ref: 0085F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0089682C,00000004,00000000,00000000), ref: 0089F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0089682C,00000004,00000000,00000000), ref: 0089F454

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d8afda0fbe966eb8bfe25b7cbfbdfcc008749b58aa0b011ff43ab087def4c048
Instruction ID: 399468ce51a6540ddd8964f849e616819c117fa9a8db2a2cf569414472961286
Opcode Fuzzy Hash: d8afda0fbe966eb8bfe25b7cbfbdfcc008749b58aa0b011ff43ab087def4c048
Instruction Fuzzy Hash: F3414031208A40BECB3C9B2CC88876A7FD1FB56356F58413DEB47D2663C6319488DB11

Function 008D2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008D2D1B
GetDC.USER32(00000000), ref: 008D2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008D2D2E
ReleaseDC.USER32(00000000,00000000), ref: 008D2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 008D2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 008D2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,008D5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 008D2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 008D2DE1

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: e13fbd1b7cb8bca7a819f03eddd790884783b693b17d9d236a723f3d71f3228a
Instruction ID: f1e166a70debe16cdce882ccf885e4d6287d27932ce6dd7aeb901159a2bff972
Opcode Fuzzy Hash: e13fbd1b7cb8bca7a819f03eddd790884783b693b17d9d236a723f3d71f3228a
Instruction Fuzzy Hash: 25319C72202214BFEB118F54DC8AFEB3BA9FF19711F044256FE08DA291C6759C40CBA0

Function 008A5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008A5637
_memcmp.LIBVCRUNTIME ref: 008A5659
_memcmp.LIBVCRUNTIME ref: 008A5671
_memcmp.LIBVCRUNTIME ref: 008A5684
_memcmp.LIBVCRUNTIME ref: 008A569E
_memcmp.LIBVCRUNTIME ref: 008A56B1
_memcmp.LIBVCRUNTIME ref: 008A56C9
_memcmp.LIBVCRUNTIME ref: 008A56E4

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b9d0503769c8dee7870105c4cf6f5ab3c55733647cac24de964b4349748af6a2
Instruction ID: 098eecef112afa43631b06b255113903bbec2c2abb21b32b1ee24a4a7b6281c2
Opcode Fuzzy Hash: b9d0503769c8dee7870105c4cf6f5ab3c55733647cac24de964b4349748af6a2
Instruction Fuzzy Hash: 0921A761640A19B7F61855248F82FFA335CFF32394F484021FE16DAF82F728ED6095A6

Function 008C4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 008C5007
NULL Pointer assignment, xrefs: 008C502E, 008C5383

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 4935255d5381ef4f6b1cc3217699a3298a4f85d0574b2e89fe5c6555551c4632
Instruction ID: 4a5987af420713e82bfdf8bec9ec91c2ec8dfcefe3b869ba73d4dcbc8fa66ea7
Opcode Fuzzy Hash: 4935255d5381ef4f6b1cc3217699a3298a4f85d0574b2e89fe5c6555551c4632
Instruction Fuzzy Hash: 9AD17C71A0060A9FDF10CFA8C885FAEB7B5FB48354F14816DE915EB281E770E985CB90

Function 00881522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 008815CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00881651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008816E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 008816FB

Part of subcall function 00873820: RtlAllocateHeap.NTDLL(00000000,?,00911444,?,0085FDF5,?,?,0084A976,00000010,00911440,008413FC,?,008413C6,?,00841129), ref: 00873852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00881777
__freea.LIBCMT ref: 008817A2
__freea.LIBCMT ref: 008817AE

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 6712310dee4e92ec0f2bfffd4fee49fffd66982e24adc06471aeffda48e48032
Instruction ID: 48e54ac86fa0d9133bec05092b12f7d7a7ff3a2373b9455676c96600559f995f
Opcode Fuzzy Hash: 6712310dee4e92ec0f2bfffd4fee49fffd66982e24adc06471aeffda48e48032
Instruction Fuzzy Hash: CD91C371E0021A9ADF20AE64CC89AEE7BB9FF49314F184659E805E7145DF35DC42CB61

Function 008C4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008C4648
VariantInit.OLEAUT32(?), ref: 008C4749
VariantClear.OLEAUT32(?), ref: 008C4753
VariantClear.OLEAUT32(?), ref: 008C47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 008C45D8, 008C4706, 008C47BE
Incorrect Object type in FOR..IN loop, xrefs: 008C472C

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: ef4bea215bf35ceca2bf53fe5a105ec90da764129fa384d3aebeda3267036e42
Instruction ID: e4f46670e4eaf320013c8e74ad41ff444bfee9e8eae3e02fc591905c9d8777e5
Opcode Fuzzy Hash: ef4bea215bf35ceca2bf53fe5a105ec90da764129fa384d3aebeda3267036e42
Instruction Fuzzy Hash: 0B916B71A00219ABDF20CFA4C898FAEBBB8FF56714F10855DE505EB281D770D985CBA0

Function 008B1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 008B125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 008B1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008B12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008B12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008B135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008B13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008B1430

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 85e141322bfb71b4e5753a34bf53e70b96d9560b9f0e7ce06c1b559773c606ea
Instruction ID: a089362580eadb8647fbe118278448c9ec077322899c2d4ef0cd67e5c959a6d0
Opcode Fuzzy Hash: 85e141322bfb71b4e5753a34bf53e70b96d9560b9f0e7ce06c1b559773c606ea
Instruction Fuzzy Hash: E591BD71A00219AFDB10DFA8C8A8BFEB7B6FF45315F504029E900EB392D774A941CB95

Function 0085948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5b6fd3bb2fd8799931083b839ba038aa215088b3aa05312973fe5e335e506fae
Instruction ID: e74b62b97f5b84d88ab0670a052b5cdb00f06747c6485c08c1b5d04a42ac9a4b
Opcode Fuzzy Hash: 5b6fd3bb2fd8799931083b839ba038aa215088b3aa05312973fe5e335e506fae
Instruction Fuzzy Hash: 41912471900219EFCB10CFA9C888AEEBBB8FF49321F148159E955F7251D378AA55CB60

Function 008C3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008C396B
CharUpperBuffW.USER32(?,?), ref: 008C3A7A
_wcslen.LIBCMT ref: 008C3A8A
VariantClear.OLEAUT32(?), ref: 008C3C1F

Part of subcall function 008B0CDF: VariantInit.OLEAUT32(00000000), ref: 008B0D1F
Part of subcall function 008B0CDF: VariantCopy.OLEAUT32(?,?), ref: 008B0D28
Part of subcall function 008B0CDF: VariantClear.OLEAUT32(?), ref: 008B0D34

Strings

Incorrect Parameter format, xrefs: 008C39A6, 008C3BA1
AUTOIT.ERROR, xrefs: 008C3A80, 008C3A85

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 2d06c0ada9d74de851476082f8fe591b575ce48ea5aec17453258aaacaa64ca5
Instruction ID: 2fe58a3efaabb8521e0e1fc6c2cf5ff9a7b19aa96f80ebd4732fafd035d8b8f2
Opcode Fuzzy Hash: 2d06c0ada9d74de851476082f8fe591b575ce48ea5aec17453258aaacaa64ca5
Instruction Fuzzy Hash: FB910175A083059FC714DF28C480A6AB7E5FB89314F14896DF88ADB351DB31EE46CB92

Function 008C4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 008A000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0089FF41,80070057,?,?,?,008A035E), ref: 008A002B
Part of subcall function 008A000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0089FF41,80070057,?,?), ref: 008A0046
Part of subcall function 008A000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0089FF41,80070057,?,?), ref: 008A0054
Part of subcall function 008A000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0089FF41,80070057,?), ref: 008A0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 008C4C51
_wcslen.LIBCMT ref: 008C4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 008C4DCF
CoTaskMemFree.OLE32(?), ref: 008C4DDA

Strings

NULL Pointer assignment, xrefs: 008C4E23, 008C4E52

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 3cee188cf0ca49b5f6f4d1845a973ddf00186f5671c4078be6316570dc4f7d8e
Instruction ID: 7332d6a468b5ad63df748742e40c52078eb975738e6ed0f8c59d6829ded41658
Opcode Fuzzy Hash: 3cee188cf0ca49b5f6f4d1845a973ddf00186f5671c4078be6316570dc4f7d8e
Instruction Fuzzy Hash: 8A91F571D0021DABDF14DFA8D891EEEBBB8FF08314F10856AE915AB251DB349A44CF61

Function 008D20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 008D2183
GetMenuItemCount.USER32(00000000), ref: 008D21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008D21DD
_wcslen.LIBCMT ref: 008D2213
GetMenuItemID.USER32(?,?), ref: 008D224D
GetSubMenu.USER32(?,?), ref: 008D225B

Part of subcall function 008A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008A3A57
Part of subcall function 008A3A3D: GetCurrentThreadId.KERNEL32 ref: 008A3A5E
Part of subcall function 008A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008A25B3), ref: 008A3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008D22E3

Part of subcall function 008AE97B: Sleep.KERNEL32 ref: 008AE9F3

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 6391faca08da8572eeb112fdc0906c0849b71a2b24c361ac70d83e35c02d0eaa
Instruction ID: d012b375fe6ce4d89162c2b3d544684e75a0074507e13238a4ea39742c50e843
Opcode Fuzzy Hash: 6391faca08da8572eeb112fdc0906c0849b71a2b24c361ac70d83e35c02d0eaa
Instruction Fuzzy Hash: E8718D35A00219AFCB10EF68C881AAEB7F5FF58310F14855AE916EB351DB35EE41CB91

Function 008D7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00DD5800), ref: 008D7F37
IsWindowEnabled.USER32(00DD5800), ref: 008D7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 008D801E
SendMessageW.USER32(00DD5800,000000B0,?,?), ref: 008D8051
IsDlgButtonChecked.USER32(?,?), ref: 008D8089
GetWindowLongW.USER32(00DD5800,000000EC), ref: 008D80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 008D80C3

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 1bf89fdef1c284d1d814158635a423491ae61a71a93f8d203d84c5652a3a1b25
Instruction ID: 3c4b4d2e85c8c7ca8e8d5422977fbba14ce63b5dc4ec656f31779d3175ee223d
Opcode Fuzzy Hash: 1bf89fdef1c284d1d814158635a423491ae61a71a93f8d203d84c5652a3a1b25
Instruction Fuzzy Hash: 02715734608204AFEB359F64C884FAABBBAFF19300F14465BE955D73A1DF31A845DA20

Function 008AAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 008AAEF9
GetKeyboardState.USER32(?), ref: 008AAF0E
SetKeyboardState.USER32(?), ref: 008AAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 008AAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 008AAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 008AAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 008AB020

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4a3aaecf20909f9007124b18338b33b61694ad6d61968f678ce9c38f4219058c
Instruction ID: 76ffa122c9a06a5de941d6e72dffd31729c52ad0f4cf102952c69078159fc62b
Opcode Fuzzy Hash: 4a3aaecf20909f9007124b18338b33b61694ad6d61968f678ce9c38f4219058c
Instruction Fuzzy Hash: E75182A06047D53DFB3A42348C45BBABEA9BB07304F08858AE1E5D5CC3D7D9A894D762

Function 008AACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 008AAD19
GetKeyboardState.USER32(?), ref: 008AAD2E
SetKeyboardState.USER32(?), ref: 008AAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 008AADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 008AADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008AAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008AAE38

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ba4728ff2bc52baed6cb842a80505173f7c4ed717808ac8ccca1220d1452f6ce
Instruction ID: 9223ed3409b3a721180dddce82728bc4921237ad0c813653a988f84e5268702b
Opcode Fuzzy Hash: ba4728ff2bc52baed6cb842a80505173f7c4ed717808ac8ccca1220d1452f6ce
Instruction Fuzzy Hash: 2351B0A15047D53DFB3B82648C95B7ABFA8BB47300F088589E1D5D6CC2D394EC98E762

Function 0087542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00883CD6,?,?,?,?,?,?,?,?,00875BA3,?,?,00883CD6,?,?), ref: 00875470
__fassign.LIBCMT ref: 008754EB
__fassign.LIBCMT ref: 00875506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00883CD6,00000005,00000000,00000000), ref: 0087552C
WriteFile.KERNEL32(?,00883CD6,00000000,00875BA3,00000000,?,?,?,?,?,?,?,?,?,00875BA3,?), ref: 0087554B
WriteFile.KERNEL32(?,?,00000001,00875BA3,00000000,?,?,?,?,?,?,?,?,?,00875BA3,?), ref: 00875584

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 95bcd1de1422302afddd317758a54b7ededaf00302f3995bbf11b172269a58b4
Instruction ID: 28d266d3dc750fcdf05ec413bf24dd41cb48b7ff90118228d1ce997c0b9b8046
Opcode Fuzzy Hash: 95bcd1de1422302afddd317758a54b7ededaf00302f3995bbf11b172269a58b4
Instruction Fuzzy Hash: 6E51D3B0A006499FDB10CFA8D855AEEBBF9FF09300F14811AF959E7295E770DA41CB61

Function 00862D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00862D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00862D53
_ValidateLocalCookies.LIBCMT ref: 00862DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00862E0C
_ValidateLocalCookies.LIBCMT ref: 00862E61

Strings

csm, xrefs: 00862DF6

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b29d6b973ffceafa579262f8fb1da91f0aec6993367a6f2afa493c12b2913961
Instruction ID: 2926d2ad6daa9ffa8eafb9060d27e2b7603e1c1e7ce3a647df6b8555117f8b8a
Opcode Fuzzy Hash: b29d6b973ffceafa579262f8fb1da91f0aec6993367a6f2afa493c12b2913961
Instruction Fuzzy Hash: 0C419334A0060DABCF10DF68C845A9EBBB5FF45364F1581A5E814EB392DB319A15CB91

Function 008C10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 008C307A
Part of subcall function 008C304E: _wcslen.LIBCMT ref: 008C309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 008C1112
WSAGetLastError.WSOCK32 ref: 008C1121
WSAGetLastError.WSOCK32 ref: 008C11C9
closesocket.WSOCK32(00000000), ref: 008C11F9

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 076270f95ed2442ec1318955c47e5f5e847da7a1109792a9eb164c9c825839e1
Instruction ID: f13befbcf39909d00cdf81b0e9c49d04701a44149de9e1d99eb80c340d5dc816
Opcode Fuzzy Hash: 076270f95ed2442ec1318955c47e5f5e847da7a1109792a9eb164c9c825839e1
Instruction Fuzzy Hash: 5341B131600209AFDB109F18C888FA9B7B9FF46324F18815AF915DB292C778ED41CBA1

Function 008ACF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008ACF22,?), ref: 008ADDFD

Part of subcall function 008ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008ACF22,?), ref: 008ADE16

lstrcmpiW.KERNEL32(?,?), ref: 008ACF45
MoveFileW.KERNEL32(?,?), ref: 008ACF7F
_wcslen.LIBCMT ref: 008AD005
_wcslen.LIBCMT ref: 008AD01B
SHFileOperationW.SHELL32(?), ref: 008AD061

Strings

\*.*, xrefs: 008ACFF3

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: ac4dd7e0dbf3a0c0ce8524e89c5beccc4b858987dec02d91cfcce92f5cc8415e
Instruction ID: 4812b7312edd9361d3883166ebfe33d400801b09a82a69dbb8cc011d98cfbd74
Opcode Fuzzy Hash: ac4dd7e0dbf3a0c0ce8524e89c5beccc4b858987dec02d91cfcce92f5cc8415e
Instruction Fuzzy Hash: 504153719452199FEF12EBA4C981ADEB7B9FF09380F0000E6E505EB541EF74AA44CB51

Function 008D2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 008D2E1C
GetWindowLongW.USER32(?,000000F0), ref: 008D2E4F
GetWindowLongW.USER32(?,000000F0), ref: 008D2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 008D2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 008D2EE0
GetWindowLongW.USER32(?,000000F0), ref: 008D2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008D2F0B

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a1e703f164ce31dd99ede6f7f5c659fcaf4e19805fd4a57197006333cc9ab29c
Instruction ID: 03b0f2e405cb35126fdf06b2231f6f85ed37d8b20c6b3b274a59411bfc894d8f
Opcode Fuzzy Hash: a1e703f164ce31dd99ede6f7f5c659fcaf4e19805fd4a57197006333cc9ab29c
Instruction Fuzzy Hash: FE310330645255AFDB21CF58EC84FA537E1FBAA711F1542A6FA11CB2B2CB71E840EB41

Function 008A7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008A7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008A778F
SysAllocString.OLEAUT32(00000000), ref: 008A7792
SysAllocString.OLEAUT32(?), ref: 008A77B0
SysFreeString.OLEAUT32(?), ref: 008A77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008A77DE
SysAllocString.OLEAUT32(?), ref: 008A77EC

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e4afe799ed9f256c8d526f4bf5a5a331e8e8ec1b876c4bb3276cc01680e97380
Instruction ID: 552281624fd923dd046a1398479298b44e4b18dfd913f3a1538b32486c1ec893
Opcode Fuzzy Hash: e4afe799ed9f256c8d526f4bf5a5a331e8e8ec1b876c4bb3276cc01680e97380
Instruction Fuzzy Hash: 2221B07660921AAFEF10DFA8CC88CBB73ACFB0A364B008126FA14DB151D670DC41D764

Function 008A77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008A7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008A7868
SysAllocString.OLEAUT32(00000000), ref: 008A786B
SysAllocString.OLEAUT32 ref: 008A788C
SysFreeString.OLEAUT32 ref: 008A7895
StringFromGUID2.OLE32(?,?,00000028), ref: 008A78AF
SysAllocString.OLEAUT32(?), ref: 008A78BD

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: bd1f90c3351f2ea55d62e262a5230b317adebbde8c7349d90e2f80bf437fc428
Instruction ID: 35edd72d582891dc88709f76901671bfe5200420ac9b3baa0bd493024c641e93
Opcode Fuzzy Hash: bd1f90c3351f2ea55d62e262a5230b317adebbde8c7349d90e2f80bf437fc428
Instruction Fuzzy Hash: 0A21A431609109AFEB109FA8DC88DAA77ECFF09360B108135FA15CB2A5D678DC41DB68

Function 008B04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008B04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008B052E

Strings

nul, xrefs: 008B0567

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 8abd24ba794e2141896977b1e121c1f337cf0f7a6c1b5b63747ff2a4a13c5d94
Instruction ID: c739c948d7f6ddc0ef696c08b9bf6ae2adeabad1ab3ed4ad3ff2cb4a2349f701
Opcode Fuzzy Hash: 8abd24ba794e2141896977b1e121c1f337cf0f7a6c1b5b63747ff2a4a13c5d94
Instruction Fuzzy Hash: 69210CB550030AAFDB309F69DC45A9B7BA4FF45764F204A19E8A1E63E0D7709950CF20

Function 008B05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008B05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008B0601

Strings

nul, xrefs: 008B0639

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 8ac18b3f8c1e0ad2860d13534dd239ee0f66e0ed6812af7cc0b5087a5a56c456
Instruction ID: e1952f39ed839c965c03ca40f32a146d60d69d800f74c9e0eb0ab888c5188eab
Opcode Fuzzy Hash: 8ac18b3f8c1e0ad2860d13534dd239ee0f66e0ed6812af7cc0b5087a5a56c456
Instruction Fuzzy Hash: EC212F755003169BDB209F699C44ADB7BE8FFA6725F200B19E8A1E73E0D7709960CF50

Function 008D40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0084600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0084604C
Part of subcall function 0084600E: GetStockObject.GDI32(00000011), ref: 00846060
Part of subcall function 0084600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0084606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 008D4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 008D411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 008D412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 008D4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 008D4145

Strings

Msctls_Progress32, xrefs: 008D40E3

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: a70750c4adef3ea692dfaad05456db48ac7c12c5ac443ad0eafce5bce55853ca
Instruction ID: 3763b62a5f5bdcf7199cfc585739a077759be0d55a7bd7efc73e83c506ca0eaa
Opcode Fuzzy Hash: a70750c4adef3ea692dfaad05456db48ac7c12c5ac443ad0eafce5bce55853ca
Instruction Fuzzy Hash: EC118EB2150219BEEF118E64CC86EE77F6DFF08798F004211BA18E2190CA729C61DBA4

Function 0087D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0087D7A3: _free.LIBCMT ref: 0087D7CC

_free.LIBCMT ref: 0087D82D

Part of subcall function 008729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000), ref: 008729DE
Part of subcall function 008729C8: GetLastError.KERNEL32(00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000,00000000), ref: 008729F0

_free.LIBCMT ref: 0087D838
_free.LIBCMT ref: 0087D843
_free.LIBCMT ref: 0087D897
_free.LIBCMT ref: 0087D8A2
_free.LIBCMT ref: 0087D8AD
_free.LIBCMT ref: 0087D8B8

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 64e22fa3d59b564d2ee69709bd310175a9e6a0149737a38c95baaa1493eb2159
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 0B118B71940B04AADA21BFB8CC07FCBBBECFF40740F448825B29DE6096DA34F5459662

Function 008ADA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 008ADA74
LoadStringW.USER32(00000000), ref: 008ADA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 008ADA91
LoadStringW.USER32(00000000), ref: 008ADA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 008ADADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 008ADAB9

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 6a0930a9365e87158a57f54268b529b8075670bd73e5665d6ea322594916d3f6
Instruction ID: 04e771f82e55306b17fc95a85887c311ca34f9afcc6b50ac9508c3f174c4568b
Opcode Fuzzy Hash: 6a0930a9365e87158a57f54268b529b8075670bd73e5665d6ea322594916d3f6
Instruction Fuzzy Hash: F10162F25002197FEB109BE49D89EEB376CF709305F400696F746E2041EA749E848F74

Function 008B096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00DCD5C0,00DCD5C0), ref: 008B097B
EnterCriticalSection.KERNEL32(00DCD5A0,00000000), ref: 008B098D
TerminateThread.KERNEL32(?,000001F6), ref: 008B099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 008B09A9
CloseHandle.KERNEL32(?), ref: 008B09B8
InterlockedExchange.KERNEL32(00DCD5C0,000001F6), ref: 008B09C8
LeaveCriticalSection.KERNEL32(00DCD5A0), ref: 008B09CF

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: aa5f4b697e3c127b9c28a96f0970e217fc17159cab63a9b5bf8122de9933edd0
Instruction ID: 8eda1787574d974635c9fc98b79bf1b8a1a612bc20966d5232e9f41f6e227227
Opcode Fuzzy Hash: aa5f4b697e3c127b9c28a96f0970e217fc17159cab63a9b5bf8122de9933edd0
Instruction Fuzzy Hash: F6F0EC32483A13BBDB515FA4EE8DBD6BB39FF05702F402226F202908A1C7759465CF90

Function 00845D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00845D30
GetWindowRect.USER32(?,?), ref: 00845D71
ScreenToClient.USER32(?,?), ref: 00845D99
GetClientRect.USER32(?,?), ref: 00845ED7
GetWindowRect.USER32(?,?), ref: 00845EF8

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: eb5e3de0461e4fa1e1f7a239a4eaddb785862e4da7704cd566db5f7a85575e5e
Instruction ID: 951d06dcdc98806d02fb19ad45113a3cbb8e4901a967310c2da6ce312079c8d8
Opcode Fuzzy Hash: eb5e3de0461e4fa1e1f7a239a4eaddb785862e4da7704cd566db5f7a85575e5e
Instruction Fuzzy Hash: 6BB19A35A00B4ADBDB10DFA9C4807EEBBF1FF58314F14951AE8AAD7250DB34AA41CB50

Function 008701B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008700BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008700D6
__allrem.LIBCMT ref: 008700ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0087010B
__allrem.LIBCMT ref: 00870122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00870140

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 044612cae9e2e5ca790d0a1fa8f41f0b07eff12769e2c5cdd7b30d222717a74d
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 7081F571A00B06DBE720AB6CDC41B6A73E9FF51324F25813AF515D6286EFB0D9008B51

Function 008C1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008C3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,008C101C,00000000,?,?,00000000), ref: 008C3195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 008C1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 008C1DE1
WSAGetLastError.WSOCK32 ref: 008C1DF2
inet_ntoa.WSOCK32(?), ref: 008C1E8C
htons.WSOCK32(?,?,?,?,?), ref: 008C1EDB
_strlen.LIBCMT ref: 008C1F35

Part of subcall function 008A39E8: _strlen.LIBCMT ref: 008A39F2

Part of subcall function 00846D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0085CF58,?,?,?), ref: 00846DBA
Part of subcall function 00846D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0085CF58,?,?,?), ref: 00846DED

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: f658f86c9f34f29434708df9fe7e9fc3c1532cba4256dbedf61c86e27d36df38
Instruction ID: b1db965f65758d861e9fd024ff820e7d5e119f784212b933e78dbd09c5603373
Opcode Fuzzy Hash: f658f86c9f34f29434708df9fe7e9fc3c1532cba4256dbedf61c86e27d36df38
Instruction Fuzzy Hash: 3CA19D30104344AFC724DB28C885F2AB7A5FF86318F54895CF4569B2A3DB31ED46CB92

Function 008761FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008682D9,008682D9,?,?,?,0087644F,00000001,00000001,8BE85006), ref: 00876258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0087644F,00000001,00000001,8BE85006,?,?,?), ref: 008762DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008763D8
__freea.LIBCMT ref: 008763E5

Part of subcall function 00873820: RtlAllocateHeap.NTDLL(00000000,?,00911444,?,0085FDF5,?,?,0084A976,00000010,00911440,008413FC,?,008413C6,?,00841129), ref: 00873852

__freea.LIBCMT ref: 008763EE
__freea.LIBCMT ref: 00876413

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: c31988a86778eb9d08a8259b2714562aa62e9f4f1e2265c768c67f8010a04836
Instruction ID: 5892a7a6c7e1202744257c0caee686cf620865a89ede6962266a0f1819a4b34e
Opcode Fuzzy Hash: c31988a86778eb9d08a8259b2714562aa62e9f4f1e2265c768c67f8010a04836
Instruction Fuzzy Hash: DC51F272A00A16ABEF258F64CC81EAF77A9FF44710F148229FC09D6259EB34DC60D761

Function 008CBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Part of subcall function 008CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008CB6AE,?,?), ref: 008CC9B5
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CC9F1
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CCA68
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008CBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008CBD25
RegCloseKey.ADVAPI32(00000000), ref: 008CBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 008CBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 008CBDF3
RegCloseKey.ADVAPI32(?), ref: 008CBDFF

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: cf3b73720d596003c51f06f511f22b29b6efc50618b71179451dafb99d84829e
Instruction ID: 550e5b9b08bca0e27d257fde5abb0d1e600c32a7f630f5dcad38cd5577ecb450
Opcode Fuzzy Hash: cf3b73720d596003c51f06f511f22b29b6efc50618b71179451dafb99d84829e
Instruction Fuzzy Hash: D5817E70108645AFD714DF24C886E2ABBF5FF84308F14855DF55A8B2A2DB31ED45CB92

Function 0089F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0089F7B9
SysAllocString.OLEAUT32(00000001), ref: 0089F860
VariantCopy.OLEAUT32(0089FA64,00000000), ref: 0089F889
VariantClear.OLEAUT32(0089FA64), ref: 0089F8AD
VariantCopy.OLEAUT32(0089FA64,00000000), ref: 0089F8B1
VariantClear.OLEAUT32(?), ref: 0089F8BB

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 47e283419ecb88fa65cd65da6026562d36c847d42b5eae090e5740c8e6f73038
Instruction ID: 26626c224bbe8c57327b0d6a751a33f053e96a81482b1c4f8c78a2673693af66
Opcode Fuzzy Hash: 47e283419ecb88fa65cd65da6026562d36c847d42b5eae090e5740c8e6f73038
Instruction Fuzzy Hash: 1A51A331600314BACF28BB69D895B69B7A5FF45324F289467EA06DF293DB708C40C797

Function 008B910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00847620: _wcslen.LIBCMT ref: 00847625

Part of subcall function 00846B57: _wcslen.LIBCMT ref: 00846B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 008B94E5
_wcslen.LIBCMT ref: 008B9506
_wcslen.LIBCMT ref: 008B952D
GetSaveFileNameW.COMDLG32(00000058), ref: 008B9585

Strings

X, xrefs: 008B9412

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: ebb222e4e8938be4a08d39e451ebcb3641a315f2aac0af38291191b612d1df7e
Instruction ID: c92ed213e3a8ab74205727800427da1735fd14bef51ffca0327b871b6e556ee8
Opcode Fuzzy Hash: ebb222e4e8938be4a08d39e451ebcb3641a315f2aac0af38291191b612d1df7e
Instruction Fuzzy Hash: E4E18D319083448FD724DF28C881AAAB7E4FF85314F15896DE999DB3A2DB31DD05CB92

Function 0085920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

BeginPaint.USER32(?,?,?), ref: 00859241
GetWindowRect.USER32(?,?), ref: 008592A5
ScreenToClient.USER32(?,?), ref: 008592C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008592D3
EndPaint.USER32(?,?,?,?,?), ref: 00859321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008971EA

Part of subcall function 00859339: BeginPath.GDI32(00000000), ref: 00859357

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: b8e7d19f4db665e7eff4b90c7578a5c31ad3ebebb4a21654cb45f2ca369aeebb
Instruction ID: 996670b6202f1749223a095d94984470d41f56108680106b710d84e29913b26b
Opcode Fuzzy Hash: b8e7d19f4db665e7eff4b90c7578a5c31ad3ebebb4a21654cb45f2ca369aeebb
Instruction Fuzzy Hash: 0941B030209301EFDB10DF28DC84FBA7BA8FB55365F040269FAA4C72A1C7309849DB62

Function 008B07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 008B080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 008B0847
EnterCriticalSection.KERNEL32(?), ref: 008B0863
LeaveCriticalSection.KERNEL32(?), ref: 008B08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008B08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 008B0921

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 2cbdf194e5cc71e296bc4c4d471ae368a4bdf68d5e3e89cab7b3bea7b93742a7
Instruction ID: ec3f9c047340b54eb54a19287313b8ac79dd0421e33aa0bf1cf4bf479bcaeedb
Opcode Fuzzy Hash: 2cbdf194e5cc71e296bc4c4d471ae368a4bdf68d5e3e89cab7b3bea7b93742a7
Instruction Fuzzy Hash: 6E413671900205ABDF14AF58DC85AAA77B9FF04310F1440A5ED00EE297DB30DE65DBA5

Function 008D81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0089F3AB,00000000,?,?,00000000,?,0089682C,00000004,00000000,00000000), ref: 008D824C
EnableWindow.USER32(?,00000000), ref: 008D8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008D82D1
ShowWindow.USER32(?,00000004), ref: 008D82E5
EnableWindow.USER32(?,00000001), ref: 008D830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 008D832F

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1bac98f93b157002c374171d8a2705afdfedaedededcdbc3c01c3b92b21d0e42
Instruction ID: 0314df2733fda7c903865fa83a40cf3f2a7b8da96426ba79236a00364fd73678
Opcode Fuzzy Hash: 1bac98f93b157002c374171d8a2705afdfedaedededcdbc3c01c3b92b21d0e42
Instruction Fuzzy Hash: B2418034605644EFDB25CF25DC99BE47BF1FB0A715F1843AAE6188B3A2CB31A841CB50

Function 008A4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 008A4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 008A4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 008A4CEA
_wcslen.LIBCMT ref: 008A4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 008A4D10
_wcsstr.LIBVCRUNTIME ref: 008A4D1A

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 3c67d6337ccd5562a811eb32050a48419b047c8dcadcdbbaac85c0eeefd98547
Instruction ID: 83ce7fa8b28d440ba375ae15ad06e146891a0f5eda1cb40d7e3ae263332e363f
Opcode Fuzzy Hash: 3c67d6337ccd5562a811eb32050a48419b047c8dcadcdbbaac85c0eeefd98547
Instruction Fuzzy Hash: 5F2107316052057BFF555B39AC0AE7B7B9CFF86760F10502EF909CA192EAA5DC00C2A1

Function 008B581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00843AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00843A97,?,?,00842E7F,?,?,?,00000000), ref: 00843AC2

_wcslen.LIBCMT ref: 008B587B
CoInitialize.OLE32(00000000), ref: 008B5995
CoCreateInstance.OLE32(008DFCF8,00000000,00000001,008DFB68,?), ref: 008B59AE
CoUninitialize.OLE32 ref: 008B59CC

Strings

.lnk, xrefs: 008B5876, 008B58C1, 008B5985

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: af0968a36e9d552b4ad99edea71ab2e949e73116fd755157209cf82df8facb55
Instruction ID: b252b1bc04a81151e97ccc557f74eff0cc1b9fa43d44696067b6b7b756f3b486
Opcode Fuzzy Hash: af0968a36e9d552b4ad99edea71ab2e949e73116fd755157209cf82df8facb55
Instruction Fuzzy Hash: 43D15271A087059FC714DF28C480A6ABBE1FF89724F148959F88ADB361DB31EC45CB92

Function 008A175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008A0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008A0FCA
Part of subcall function 008A0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008A0FD6
Part of subcall function 008A0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008A0FE5
Part of subcall function 008A0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008A0FEC
Part of subcall function 008A0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008A1002

GetLengthSid.ADVAPI32(?,00000000,008A1335), ref: 008A17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008A17BA
HeapAlloc.KERNEL32(00000000), ref: 008A17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008A17DA
GetProcessHeap.KERNEL32(00000000,00000000,008A1335), ref: 008A17EE
HeapFree.KERNEL32(00000000), ref: 008A17F5

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 456e3593df97eaf574494c9862cc170e0cd65eb722bfebc182222a8ebf3458cc
Instruction ID: e94cfb15a976f1c1d87a750de25425482ca32e0f2f8d9cde24414a13cdb0d25d
Opcode Fuzzy Hash: 456e3593df97eaf574494c9862cc170e0cd65eb722bfebc182222a8ebf3458cc
Instruction Fuzzy Hash: 0611BB32611616FFEF109FA4CC49FAE7BA9FB42359F104219F481E7294D736A940CB60

Function 008A14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008A14FF
OpenProcessToken.ADVAPI32(00000000), ref: 008A1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 008A1515
CloseHandle.KERNEL32(00000004), ref: 008A1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008A154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 008A1563

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 9ea4524f568edc5f7c92a6bd67cfb459f55df48eeeb6b0fc67dc592698b6dd75
Instruction ID: fb22cd9178de1b44dbb9aa2e740e809ea21689bb5225291c291f83b70f9bde13
Opcode Fuzzy Hash: 9ea4524f568edc5f7c92a6bd67cfb459f55df48eeeb6b0fc67dc592698b6dd75
Instruction Fuzzy Hash: 2C11297250220EABEF118F98DD49BDE7BAAFF49744F044115FA05A21A0D375CE60DB60

Function 00863382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00863379,00862FE5), ref: 00863390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0086339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008633B7
SetLastError.KERNEL32(00000000,?,00863379,00862FE5), ref: 00863409

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ecbb0f4349f3acae8c9b508d4dad2b60dab429db6b7d206ccdb76bc2d6baf4ef
Instruction ID: 099778424862f057b846374fd180a69d7df5d95131fde7eb8c1c98bcd777cc60
Opcode Fuzzy Hash: ecbb0f4349f3acae8c9b508d4dad2b60dab429db6b7d206ccdb76bc2d6baf4ef
Instruction Fuzzy Hash: A901F77361D311BEEA252778BD85A6B2BA4FB25379722032EF510C53F0EF114D11A544

Function 00872D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00875686,00883CD6,?,00000000,?,00875B6A,?,?,?,?,?,0086E6D1,?,00908A48), ref: 00872D78
_free.LIBCMT ref: 00872DAB
_free.LIBCMT ref: 00872DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0086E6D1,?,00908A48,00000010,00844F4A,?,?,00000000,00883CD6), ref: 00872DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0086E6D1,?,00908A48,00000010,00844F4A,?,?,00000000,00883CD6), ref: 00872DEC
_abort.LIBCMT ref: 00872DF2

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 627523dbea945e0c7f348b5e37bc41a58c468111626aac393b97249f791033d6
Instruction ID: 5ada9f9c65cfc90cc7c5da1d31cda4c6d16813acb76049815b0c33933d665cd4
Opcode Fuzzy Hash: 627523dbea945e0c7f348b5e37bc41a58c468111626aac393b97249f791033d6
Instruction Fuzzy Hash: 9BF0A9355096056BC632277C7C06F5A1E59FBC17A5F24C619F82CD21EEDF34C8415162

Function 008D8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00859639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00859693
Part of subcall function 00859639: SelectObject.GDI32(?,00000000), ref: 008596A2
Part of subcall function 00859639: BeginPath.GDI32(?), ref: 008596B9
Part of subcall function 00859639: SelectObject.GDI32(?,00000000), ref: 008596E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 008D8A4E
LineTo.GDI32(?,00000003,00000000), ref: 008D8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 008D8A70
LineTo.GDI32(?,00000000,00000003), ref: 008D8A80
EndPath.GDI32(?), ref: 008D8A90
StrokePath.GDI32(?), ref: 008D8AA0

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b1683e17eff9a9222c74e37bfe064da73d5865b6bcd8418cca7af5fdb3ac4c92
Instruction ID: d9353c8c2c4de72118843793aaf703ffc8bb40789c0241deac72dd2635feb3a7
Opcode Fuzzy Hash: b1683e17eff9a9222c74e37bfe064da73d5865b6bcd8418cca7af5fdb3ac4c92
Instruction Fuzzy Hash: 67110976005159FFDF129F94DC88EAA7F6CFB08390F008112FA199A1A1C7719D55DBA0

Function 008A51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008A5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 008A5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008A5230
ReleaseDC.USER32(00000000,00000000), ref: 008A5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 008A524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 008A5261

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: f5640e2372eb933d150d1bb486cadf95050fcf300ac0e8cfa7ff1433657a6026
Instruction ID: 9a8ad4c3ffd3431b7c582cf777f453aadec7cfcda3afd3cc665a08b23b614498
Opcode Fuzzy Hash: f5640e2372eb933d150d1bb486cadf95050fcf300ac0e8cfa7ff1433657a6026
Instruction Fuzzy Hash: EF014F75A01719BBEF109BA69C49B5EBFB8FF48751F084166FA04E7681DA709C00CFA0

Function 00841BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00841BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00841BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00841C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00841C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00841C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00841C22

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 6f77d5e210fb1a10af5f5eb5167f05d4e43f22f916c3b9bab3ec6672d09ce521
Instruction ID: a2d74489e4ea9c5227be14a86496d3dbe7ee6e114dc431a4a99c4be8d19098c1
Opcode Fuzzy Hash: 6f77d5e210fb1a10af5f5eb5167f05d4e43f22f916c3b9bab3ec6672d09ce521
Instruction Fuzzy Hash: BE016CB090275A7DE3008F5A8C85B52FFA8FF19354F00411BD15C47941C7F5A864CBE5

Function 008AEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008AEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008AEB46
GetWindowThreadProcessId.USER32(?,?), ref: 008AEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008AEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008AEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008AEB75

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: bcad3b5632401f787d13fe1d0f8c55d38f9abc337ffd6a46390a84838b111746
Instruction ID: c6a990b652cc8874ddb2dc3657bede0cebbdb1757d5664caf50700775c7a3dd0
Opcode Fuzzy Hash: bcad3b5632401f787d13fe1d0f8c55d38f9abc337ffd6a46390a84838b111746
Instruction Fuzzy Hash: DFF03072142169BBEB215B52AC0DEEF7B7CFFCAB11F00025AF601D1191D7A05A01C6B5

Function 00897439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00897452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00897469
GetWindowDC.USER32(?), ref: 00897475
GetPixel.GDI32(00000000,?,?), ref: 00897484
ReleaseDC.USER32(?,00000000), ref: 00897496
GetSysColor.USER32(00000005), ref: 008974B0

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: dbc80ac564a0242410b82b2320efa0c5ffd1fd192b1bbdab2fe17c016c193b6f
Instruction ID: eefb547e2193612839c0c5b4c7e22e35576802431ddc91393f4ce76725444f89
Opcode Fuzzy Hash: dbc80ac564a0242410b82b2320efa0c5ffd1fd192b1bbdab2fe17c016c193b6f
Instruction Fuzzy Hash: 55018B3140521AEFDB506FA4EC08BAE7BB5FB04311F140265FA15A21A1CB311E41EB10

Function 008A1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 008A187F
UnloadUserProfile.USERENV(?,?), ref: 008A188B
CloseHandle.KERNEL32(?), ref: 008A1894
CloseHandle.KERNEL32(?), ref: 008A189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008A18A5
HeapFree.KERNEL32(00000000), ref: 008A18AC

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: d0afe6d1d4be44635491d01b63472cf46203e7d3b1417b1723295d807e728e36
Instruction ID: a11474e469721e7a26b2f208248732b565c0ca3b51718db561ab50e077038711
Opcode Fuzzy Hash: d0afe6d1d4be44635491d01b63472cf46203e7d3b1417b1723295d807e728e36
Instruction Fuzzy Hash: 88E0E536045112FBDB016FA5ED0C90AFF39FF49B22B108322F225811B0CB329420DF50

Function 008AC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00847620: _wcslen.LIBCMT ref: 00847625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008AC6EE
_wcslen.LIBCMT ref: 008AC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008AC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 008AC7CA

Strings

0, xrefs: 008AC6AF

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 8bba30e7907acda7eff787a8656f57a124d04bda31cd0fedc2727bea8721f149
Instruction ID: 518752f4407aebab8922bd400fc706a0803d827b41af477f43602feaa01419a8
Opcode Fuzzy Hash: 8bba30e7907acda7eff787a8656f57a124d04bda31cd0fedc2727bea8721f149
Instruction Fuzzy Hash: F451EE716043059BE715DF2CC885BAA77E8FF8A314F040A2DFAA5D29A1DB64D844CB92

Function 008CAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 008CAEA3

Part of subcall function 00847620: _wcslen.LIBCMT ref: 00847625

GetProcessId.KERNEL32(00000000), ref: 008CAF38
CloseHandle.KERNEL32(00000000), ref: 008CAF67

Strings

<, xrefs: 008CAE6B
@, xrefs: 008CAE72

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 1fe49646cfbd9220e16f5f693c04c0769e9587f3a735b61bd382ee65029e03be
Instruction ID: 74c19730f651e356cec7f611181ba505ccecd3f3eab9ca5375cd07254636fea4
Opcode Fuzzy Hash: 1fe49646cfbd9220e16f5f693c04c0769e9587f3a735b61bd382ee65029e03be
Instruction Fuzzy Hash: B7714574A00619DFCB18DF58C485A9EBBB4FF08318F05849DE816AB362CB75ED45CB92

Function 008A719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 008A7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 008A723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 008A724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008A72CF

Strings

DllGetClassObject, xrefs: 008A7242

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 72ddb47a240c3e50ea7ef8700c5ff794a602592db7bfdae29286632208679c62
Instruction ID: 05eba431893c47266acfd4f37aa1e7f9314906dadb66050157cb007b2879f1e9
Opcode Fuzzy Hash: 72ddb47a240c3e50ea7ef8700c5ff794a602592db7bfdae29286632208679c62
Instruction Fuzzy Hash: 59418E71604205AFEB15CF54CC84B9A7BB9FF46314F1481AABD06DF20AD7B0D945EBA0

Function 008D3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008D3E35
IsMenu.USER32(?), ref: 008D3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008D3E92
DrawMenuBar.USER32 ref: 008D3EA5

Strings

0, xrefs: 008D3D89

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 37c8bbfc820310d9d1b516c047f43b815af214ccdbb04e633c3e912ac6b0f2b7
Instruction ID: 13c8e6ea1a0f76ac82632a042fde75b3b22f6cec366eac0131da282db9a67f7a
Opcode Fuzzy Hash: 37c8bbfc820310d9d1b516c047f43b815af214ccdbb04e633c3e912ac6b0f2b7
Instruction Fuzzy Hash: 5D416875A01209AFDB10DF51E884AEABBB9FF48354F04422AE905E7390D730AE40CF51

Function 008A1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Part of subcall function 008A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008A3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 008A1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 008A1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 008A1EA9

Part of subcall function 00846B57: _wcslen.LIBCMT ref: 00846B6A

Strings

ListBox, xrefs: 008A1E25
ComboBox, xrefs: 008A1DF0

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: c2376ce6a3ee8a47c93e8e1f4663728128287adab9189caefaf7e6f32d7319ad
Instruction ID: 565dfb056b28f99961946502e3a9f7de8caafd8ab7ba8b913bc0133ead046ed0
Opcode Fuzzy Hash: c2376ce6a3ee8a47c93e8e1f4663728128287adab9189caefaf7e6f32d7319ad
Instruction Fuzzy Hash: 1D21F371A00108AEEF14AB68DC4ACFFB7B9FF56364F104129F825E71E1DB344919C621

Function 008CC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008CC9F1
_wcslen.LIBCMT ref: 008CCA68
_wcslen.LIBCMT ref: 008CCA9E
_wcslen.LIBCMT ref: 008CCAF9
_wcslen.LIBCMT ref: 008CCB2F
_wcslen.LIBCMT ref: 008CCB7F

Strings

HKLM, xrefs: 008CCA98, 008CCA9D
HKEY_LOCAL_MACHINE, xrefs: 008CCA62, 008CCA67

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 4956628cd94c796f5e15954762d06eab222de9822b24086a10f6ee9648da3ff1
Instruction ID: 6c5f95fb5eaf35aa42231f11331307b6b02d4c3a00eeaa88df7771c89215b569
Opcode Fuzzy Hash: 4956628cd94c796f5e15954762d06eab222de9822b24086a10f6ee9648da3ff1
Instruction Fuzzy Hash: 9931F5B2A0057A4BCB20EE6C9844EBE37B2FBA1750F05402DE849EB285E671CD41D3A1

Function 008D2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 008D2F8D
LoadLibraryW.KERNEL32(?), ref: 008D2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 008D2FA9
DestroyWindow.USER32(?), ref: 008D2FB1

Strings

SysAnimate32, xrefs: 008D2F68

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: a593a4d50b38cad08dfe004fc2a6b591dc6ae0e876fe596f160d44a3a8970fde
Instruction ID: 94dbf84ef537d408425a84a05feb1dcc0cd0f7116801da64dd4136330794b62d
Opcode Fuzzy Hash: a593a4d50b38cad08dfe004fc2a6b591dc6ae0e876fe596f160d44a3a8970fde
Instruction Fuzzy Hash: 8B218E71204209AFEB205F64DC80EBB77B9FF69368F104B1AF954D6290DB71DC51A760

Function 00864D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00864D1E,008728E9,?,00864CBE,008728E9,009088B8,0000000C,00864E15,008728E9,00000002), ref: 00864D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00864DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00864D1E,008728E9,?,00864CBE,008728E9,009088B8,0000000C,00864E15,008728E9,00000002,00000000), ref: 00864DC3

Strings

CorExitProcess, xrefs: 00864D98
mscoree.dll, xrefs: 00864D86

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 02e99fb8271fefcbafb7d2cd9805af08c9420a6724a50b9a93445f534ec466e9
Instruction ID: 1dbf1983e47e9c6c122476293a5c10ec77a24d7628b0d5b8d0989aff9e36cfc9
Opcode Fuzzy Hash: 02e99fb8271fefcbafb7d2cd9805af08c9420a6724a50b9a93445f534ec466e9
Instruction Fuzzy Hash: 4BF0AF30A01219BBDB109F91DC09BAEBBB9FF44752F0102A5F805E2260CF715980DE90

Function 0089D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0089D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0089D3BF
FreeLibrary.KERNEL32(00000000), ref: 0089D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0089D3B9
X64, xrefs: 0089D2A8

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 989bbdf40914699fb78a43cd0922d937fbda0119e5eae05afaaa47150990df8a
Instruction ID: b831b1012aa5d1b897571e9e6afcc4d3664e5be61966c9df5de9424dd1ed6504
Opcode Fuzzy Hash: 989bbdf40914699fb78a43cd0922d937fbda0119e5eae05afaaa47150990df8a
Instruction Fuzzy Hash: 07F05531802B269FCF787BA08C4896A7324FF00706B9C8356FD02E2254EB20DD49D68A

Function 00844E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00844EDD,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00844EAE
FreeLibrary.KERNEL32(00000000,?,?,00844EDD,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00844EA8
kernel32.dll, xrefs: 00844E94

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 01f7c1a445d37ad318045ff85bc16b8f5759ea47ebbee25640af164e117c1006
Instruction ID: 57a498bc87c9fbaf40904c57cbb9fb822f18784c2e20281889d245ac1134dfcc
Opcode Fuzzy Hash: 01f7c1a445d37ad318045ff85bc16b8f5759ea47ebbee25640af164e117c1006
Instruction Fuzzy Hash: DFE08C36A026339BD6221B25AC1CB6B7758FF81B72B050216FC04E2250DF64CD02C0A0

Function 00844E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00883CDE,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00844E74
FreeLibrary.KERNEL32(00000000,?,?,00883CDE,?,00911418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00844E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00844E6E
kernel32.dll, xrefs: 00844E5B

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: fadc85840b154d06c06c69763ea823455f7870641bda678845031843bfdf31f1
Instruction ID: 868133824d64de680349949c7c86a4f947c926edadd7ed4cff906f56ef296e0c
Opcode Fuzzy Hash: fadc85840b154d06c06c69763ea823455f7870641bda678845031843bfdf31f1
Instruction Fuzzy Hash: C7D0E236A02A336B9A221B25AC18E8B7B18FF85B653454726F915E3265CF64CE02C5A0

Function 008B2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008B2C05
DeleteFileW.KERNEL32(?), ref: 008B2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 008B2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008B2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008B2CC0

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 1e7b250039077cb9408164bb021e8f7bdb2ee8e4100c3f6165d7c954d9590253
Instruction ID: 797950e37f0911f559c9b6d6cc61c95d1f690a93008718d8679338772960227b
Opcode Fuzzy Hash: 1e7b250039077cb9408164bb021e8f7bdb2ee8e4100c3f6165d7c954d9590253
Instruction Fuzzy Hash: E4B13F72D0051DABDF21DBA8CC85EDEBB7DFF49350F1040A6F609E6251EA309A448F62

Function 008CA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 008CA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 008CA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 008CA468
CloseHandle.KERNEL32(?), ref: 008CA63D

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 2838224096f61837c1626b3f13682e5797882b65db431750bb65c9cd49e544fa
Instruction ID: b04fcb01c095693bc45c9485ee1fb286f06e03b2b375c741bc49f099d34c0a15
Opcode Fuzzy Hash: 2838224096f61837c1626b3f13682e5797882b65db431750bb65c9cd49e544fa
Instruction Fuzzy Hash: C3A16A716043019FD724DF28C886F2AB7E5FB84718F14885DF95ADB392DAB1EC458B82

Function 008AE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008ACF22,?), ref: 008ADDFD

Part of subcall function 008ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008ACF22,?), ref: 008ADE16

Part of subcall function 008AE199: GetFileAttributesW.KERNEL32(?,008ACF95), ref: 008AE19A

lstrcmpiW.KERNEL32(?,?), ref: 008AE473
MoveFileW.KERNEL32(?,?), ref: 008AE4AC
_wcslen.LIBCMT ref: 008AE5EB
_wcslen.LIBCMT ref: 008AE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 008AE650

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: bc0a6b4b84d67548323995bbcb5c3043a23356472e010cb4db464f5f27ff515c
Instruction ID: 86d592304d6ff4a5ffd0d7a881ef1fe1dc9c7dc90d583328d98b8f8b38eeaa18
Opcode Fuzzy Hash: bc0a6b4b84d67548323995bbcb5c3043a23356472e010cb4db464f5f27ff515c
Instruction Fuzzy Hash: F45191B24087455BD724EB94D8819DBB3DCFF85300F00092EF689C3591EF34A288876B

Function 008CB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Part of subcall function 008CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008CB6AE,?,?), ref: 008CC9B5
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CC9F1
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CCA68
Part of subcall function 008CC998: _wcslen.LIBCMT ref: 008CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008CBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008CBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 008CBB63
RegCloseKey.ADVAPI32(?,?), ref: 008CBBA6
RegCloseKey.ADVAPI32(00000000), ref: 008CBBB3

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: a6c9725e3635a3789a6fdb4d251f8236878aa549a9a5c1b11760b0993b3f3e43
Instruction ID: 777ee9af5d364732cbe9adfaa75dfd1e8f98e412c2832e6de73050877b128c31
Opcode Fuzzy Hash: a6c9725e3635a3789a6fdb4d251f8236878aa549a9a5c1b11760b0993b3f3e43
Instruction Fuzzy Hash: 89617931209645AFC314DF28C491E2ABBF5FF84318F14895DF49A8B2A2CB31ED45CB92

Function 008A8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008A8BCD
VariantClear.OLEAUT32 ref: 008A8C3E
VariantClear.OLEAUT32 ref: 008A8C9D
VariantClear.OLEAUT32(?), ref: 008A8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 008A8D3B

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 06cc2abb2c5df92aa99af15abd2863fe87db1e3ff1cea1851fb8d79bf46bf511
Instruction ID: 915c3921bd8eb26a5a26badff6aedf10c9e4a3b549de4d16549aac8779c0ff04
Opcode Fuzzy Hash: 06cc2abb2c5df92aa99af15abd2863fe87db1e3ff1cea1851fb8d79bf46bf511
Instruction Fuzzy Hash: D7518AB1A0021AEFDB10CF28C884AAAB7F9FF89314B118559F905DB350E734E911CFA0

Function 008B8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 008B8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 008B8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 008B8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 008B8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 008B8C5F

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 6c8b07d8f33decdd47a092dea4d8b8fe94e857f8686eaffabdc5844773a587bc
Instruction ID: 6b9699b0ef9c291b14e980e84f5422aa5ab5dad21b6fdc7ea906530c5004a3ff
Opcode Fuzzy Hash: 6c8b07d8f33decdd47a092dea4d8b8fe94e857f8686eaffabdc5844773a587bc
Instruction Fuzzy Hash: 72515A75A00219DFCB00DF68C881AAEBBF5FF48314F088459E849AB362CB35ED41CB91

Function 008C8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 008C8F40
GetProcAddress.KERNEL32(00000000,?), ref: 008C8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 008C8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 008C9032
FreeLibrary.KERNEL32(00000000), ref: 008C9052

Part of subcall function 0085F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,008B1043,?,753CE610), ref: 0085F6E6
Part of subcall function 0085F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0089FA64,00000000,00000000,?,?,008B1043,?,753CE610,?,0089FA64), ref: 0085F70D

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: ef38c0f5bba20790548b03e1a3a607d39341c3b2c25e86a5f767e11bdfafda1b
Instruction ID: 2648ae1eec5fe0bea098e3ffa6f0334c006017a7d4b708450c790105a27317a0
Opcode Fuzzy Hash: ef38c0f5bba20790548b03e1a3a607d39341c3b2c25e86a5f767e11bdfafda1b
Instruction Fuzzy Hash: E1513534601209DFCB11DF58C484DA9BBF1FF49314B0981A9E84AEB762DB31ED86CB91

Function 008D6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 008D6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 008D6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 008D6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,008BAB79,00000000,00000000), ref: 008D6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 008D6CC7

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 2541f6ab451605d5eea270a56ba425eb964c55b40f3fb804d0daf50e9df0d7a6
Instruction ID: 7f115b046198a1a43d90c79f3f10f83d7d0a158646a1e6e0579eae4234a73453
Opcode Fuzzy Hash: 2541f6ab451605d5eea270a56ba425eb964c55b40f3fb804d0daf50e9df0d7a6
Instruction Fuzzy Hash: F041AF35A14108AFDB24CF28CC58FA97BA5FB09360F15036AE995E73E0E771AD61DA40

Function 00872051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008720C3
_free.LIBCMT ref: 008720E3

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: be9a3f5a3f00b041e071ee698e88776da960c9a0f38e608435e8ccea6f6dafe9
Instruction ID: 28fa995b72432ec2848122a70bc4319b6a4ea81e83642e1ee33c32b0cbb2b8f2
Opcode Fuzzy Hash: be9a3f5a3f00b041e071ee698e88776da960c9a0f38e608435e8ccea6f6dafe9
Instruction Fuzzy Hash: 3041E272A002049FCB20DF78C881A5DB7F5FF89314F1585A8EA19EB356D631ED01CB91

Function 0085912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00859141
ScreenToClient.USER32(00000000,?), ref: 0085915E
GetAsyncKeyState.USER32(00000001), ref: 00859183
GetAsyncKeyState.USER32(00000002), ref: 0085919D

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 63e574cc976de02807c5e9a27e5e18e7d596285f430dec79c34b7c3b448c035c
Instruction ID: 7e0f299938e3b0d90f2671df3fccad403ab1485fea0045221cc9de9cbe25060b
Opcode Fuzzy Hash: 63e574cc976de02807c5e9a27e5e18e7d596285f430dec79c34b7c3b448c035c
Instruction Fuzzy Hash: 70414E31A0861AEBDF15AF68C844BEEB774FB05325F24831AE865E7290C7346D54CB91

Function 008B3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008B38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 008B3922
TranslateMessage.USER32(?), ref: 008B394B
DispatchMessageW.USER32(?), ref: 008B3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008B3966

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: f9f0727e4670744980d6f0b048df028890829d9c55618fa96a68ff20dce59a35
Instruction ID: ca326a8f4064ce485acebced50957e3b8d01b9f6f63a0cb2788333275ec25fb3
Opcode Fuzzy Hash: f9f0727e4670744980d6f0b048df028890829d9c55618fa96a68ff20dce59a35
Instruction Fuzzy Hash: 4E31B770618346AFEB35CB349C48BF63FA8FB06304F44456DE562C22A0E7B4A685DB11

Function 008BCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,008BC21E,00000000), ref: 008BCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 008BCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,008BC21E,00000000), ref: 008BCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,008BC21E,00000000), ref: 008BCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,008BC21E,00000000), ref: 008BCFF2

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: d6925c55873b81db45df6020d0e13829206989e113ed3b98aeb4af1b2b989cb8
Instruction ID: fc22a0ee5820934649765703031d02f640d2420e0f143796571868e246d3a3da
Opcode Fuzzy Hash: d6925c55873b81db45df6020d0e13829206989e113ed3b98aeb4af1b2b989cb8
Instruction Fuzzy Hash: 76314C71600206AFDB20DFA9C8849BBBBF9FB14355B10446EF516D2341DB70EE44DB60

Function 008A1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008A1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008A19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008A19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008A19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008A19E2

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: c90668380b3fd54ab277c4c9908bbd618a22e443c2c51ca90b610c673fcd44df
Instruction ID: e8048b5e5b09692c34b55e1dd538bc377366bc12e7f5848a712bcfbf6b4c8291
Opcode Fuzzy Hash: c90668380b3fd54ab277c4c9908bbd618a22e443c2c51ca90b610c673fcd44df
Instruction Fuzzy Hash: C3318B71A00219EFDF00CFA8D99DA9E3BB5FB05315F144229F921EB2D1C7709944CB90

Function 008D5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 008D5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 008D579D
_wcslen.LIBCMT ref: 008D57AF
_wcslen.LIBCMT ref: 008D57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 008D5816

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: ef432336d84368ca4055c12cb2b71f791c7e83f56fb5f655b67ca0542000c774
Instruction ID: fa1fa2ec8c869ad271489f9ef2db92b244eb2d8b40703814c73dc9369829f115
Opcode Fuzzy Hash: ef432336d84368ca4055c12cb2b71f791c7e83f56fb5f655b67ca0542000c774
Instruction Fuzzy Hash: 95218071904618EADB209FA4DC85AEE7BB8FF14724F10835BE929EA280D7708985CF51

Function 008C0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 008C0951
GetForegroundWindow.USER32 ref: 008C0968
GetDC.USER32(00000000), ref: 008C09A4
GetPixel.GDI32(00000000,?,00000003), ref: 008C09B0
ReleaseDC.USER32(00000000,00000003), ref: 008C09E8

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5e0739ebbbb2e4648df9d2bba66d5af4c76b3ab351f30ef4540041ccd4265222
Instruction ID: 8ab623c650d5427d39d055d08543bc7b5dc71b54873357a60d6d887b8080cfab
Opcode Fuzzy Hash: 5e0739ebbbb2e4648df9d2bba66d5af4c76b3ab351f30ef4540041ccd4265222
Instruction Fuzzy Hash: 81215E35A00214AFD704EF69D888AAEBBF9FF44740F04816DE84AD7352CA70EC04CB50

Function 0085990F Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008598CC
SetTextColor.GDI32(?,?), ref: 008598D6
SetBkMode.GDI32(?,00000001), ref: 008598E9
GetStockObject.GDI32(00000005), ref: 008598F1
GetWindowLongW.USER32(?,000000EB), ref: 00859952

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 8154e5cd5c67bffe9d2770e48f6ceb9c3f0f093438bcda1f21a6a6c9e5febf39
Instruction ID: 0ec54d1e6d18f61e691bc8718142230cc307e89bb937df29e4a64481f0974fd8
Opcode Fuzzy Hash: 8154e5cd5c67bffe9d2770e48f6ceb9c3f0f093438bcda1f21a6a6c9e5febf39
Instruction Fuzzy Hash: AD21D371546250DFCB228F34EC55AE53FA0FF17332B08029EEAD6CA1A2C6355845DB10

Function 0087CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0087CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0087CDE9

Part of subcall function 00873820: RtlAllocateHeap.NTDLL(00000000,?,00911444,?,0085FDF5,?,?,0084A976,00000010,00911440,008413FC,?,008413C6,?,00841129), ref: 00873852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0087CE0F
_free.LIBCMT ref: 0087CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0087CE31

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a20bd50b6fb39fc49a56537cff653a7045461572a615dbb2d3d0fb275197d036
Instruction ID: f607c8a84c784e53523a28f143833a553aa3df822201fe9d1317b4e50837933d
Opcode Fuzzy Hash: a20bd50b6fb39fc49a56537cff653a7045461572a615dbb2d3d0fb275197d036
Instruction Fuzzy Hash: 4001D8736026157F272116BAAC88D7B7F6DFFC6BA1315822EF909C7204DB61CD0181B1

Function 00859639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00859693
SelectObject.GDI32(?,00000000), ref: 008596A2
BeginPath.GDI32(?), ref: 008596B9
SelectObject.GDI32(?,00000000), ref: 008596E2

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ed912b2b3771db3b6d8e0a006635607912078dc0782ace063f56d540c6f13164
Instruction ID: b7de7dd196c0ffc53f146cbdb1d54991d6b50634732b77d5e43eec9057c3aac6
Opcode Fuzzy Hash: ed912b2b3771db3b6d8e0a006635607912078dc0782ace063f56d540c6f13164
Instruction Fuzzy Hash: C9218030926306FBDF119F28EC157E97BA9FB20356F508216F960E61B0D3745899EF90

Function 008A5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008A5726
_memcmp.LIBVCRUNTIME ref: 008A5744
_memcmp.LIBVCRUNTIME ref: 008A5757
_memcmp.LIBVCRUNTIME ref: 008A576F
_memcmp.LIBVCRUNTIME ref: 008A5787

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9aa06142b6b6a15ef989f7fe7ebfc8605a33d22e0ad24233351f92667489a7c5
Instruction ID: b437a3a912b7e2d443eeeede2ba7b2ffa55de109a4e71eeaeca54f047163b462
Opcode Fuzzy Hash: 9aa06142b6b6a15ef989f7fe7ebfc8605a33d22e0ad24233351f92667489a7c5
Instruction Fuzzy Hash: 1F01F961241A19FBF61851149E42FBB734CFB223A8F048021FE16FAB42F724ED5082A1

Function 00872DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0086F2DE,00873863,00911444,?,0085FDF5,?,?,0084A976,00000010,00911440,008413FC,?,008413C6), ref: 00872DFD
_free.LIBCMT ref: 00872E32
_free.LIBCMT ref: 00872E59
SetLastError.KERNEL32(00000000,00841129), ref: 00872E66
SetLastError.KERNEL32(00000000,00841129), ref: 00872E6F

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: cbaedfdcefaecf89f60a624c3a946f7537d0ff75677b676f92a7082591f1569b
Instruction ID: 42ea75e03374d7e14950ebc6a942428a34d37980fe2732f980261dab1a516e85
Opcode Fuzzy Hash: cbaedfdcefaecf89f60a624c3a946f7537d0ff75677b676f92a7082591f1569b
Instruction Fuzzy Hash: 5201D1332096046BC61267386C45E2B275DFBC63A9B24C129F82DE22DBEB60C8415022

Function 008A000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0089FF41,80070057,?,?,?,008A035E), ref: 008A002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0089FF41,80070057,?,?), ref: 008A0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0089FF41,80070057,?,?), ref: 008A0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0089FF41,80070057,?), ref: 008A0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0089FF41,80070057,?,?), ref: 008A0070

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 56ab57ec97447167051bd1005bf4a438d55b16268a5360cec0345bb2788cdfdd
Instruction ID: 629d4de35f2fce1be1da93e6852370b1765004fc35e1ac360946ed7e510a86f2
Opcode Fuzzy Hash: 56ab57ec97447167051bd1005bf4a438d55b16268a5360cec0345bb2788cdfdd
Instruction Fuzzy Hash: 9E018B72601A06BFEB108F68DC04FAA7BAEFB48792F144225F905D2210E771DD40DBA0

Function 008AE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 008AE997
QueryPerformanceFrequency.KERNEL32(?), ref: 008AE9A5
Sleep.KERNEL32(00000000), ref: 008AE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 008AE9B7
Sleep.KERNEL32 ref: 008AE9F3

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 9ded24fb2369f10792ad6276da48b05e7745c684ff140d1a4924de1c18370b5a
Instruction ID: 8dc5380f32a28bf6d8e332c5c7355c949dbfb74836711b635fb123e32109b715
Opcode Fuzzy Hash: 9ded24fb2369f10792ad6276da48b05e7745c684ff140d1a4924de1c18370b5a
Instruction Fuzzy Hash: 63011731C0262EDBDF00ABE5D859AEEBF78FB0A701F040A56E502F2241CB709555CBA1

Function 008A10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008A1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,008A0B9B,?,?,?), ref: 008A1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008A0B9B,?,?,?), ref: 008A112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008A0B9B,?,?,?), ref: 008A1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008A114D

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: a5ab7793e3185241f7600c1f16c3d68b7cbe8af1b65c69b205cf7b33e6ae8030
Instruction ID: 23b43bc4d154f74a5f8c6f908a3d2292685514d5958f29a1123c516e68268a2b
Opcode Fuzzy Hash: a5ab7793e3185241f7600c1f16c3d68b7cbe8af1b65c69b205cf7b33e6ae8030
Instruction Fuzzy Hash: EC011975201216BFEF114FA9DC4DE6A3B6EFF8A3A4B20451AFA45D7360DA31DC00DA60

Function 008A0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008A0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008A0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008A0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008A0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008A1002

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e59708e5d05bfc934dd972bcd82245b9abba9c9c49b143d20b0b34c1c87a1d05
Instruction ID: d4029fc5c46c5333fa06a37ad8f85d0e96521b7456abc3504dee513488a79eb7
Opcode Fuzzy Hash: e59708e5d05bfc934dd972bcd82245b9abba9c9c49b143d20b0b34c1c87a1d05
Instruction Fuzzy Hash: 0FF06D35241712EBEB214FA4DC4DF5A3BADFF8AB62F114516FA45C7291CA74DC40CA60

Function 008A1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008A102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008A1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008A1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008A104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008A1062

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a295c8932d61328994ab9d2fd698b8d54952fd99272f191828c80a8300ebdb19
Instruction ID: f73bc61825bfc501d50914d22368469eb9e5cc029bc409b0a29469352593cc5e
Opcode Fuzzy Hash: a295c8932d61328994ab9d2fd698b8d54952fd99272f191828c80a8300ebdb19
Instruction Fuzzy Hash: 91F06D35241712EBEB219FA4EC4DF5A3BADFF8A761F110516FA45C7290CA70DC40CA60

Function 008B030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,008B017D,?,008B32FC,?,00000001,00882592,?), ref: 008B0324
CloseHandle.KERNEL32(?,?,?,?,008B017D,?,008B32FC,?,00000001,00882592,?), ref: 008B0331
CloseHandle.KERNEL32(?,?,?,?,008B017D,?,008B32FC,?,00000001,00882592,?), ref: 008B033E
CloseHandle.KERNEL32(?,?,?,?,008B017D,?,008B32FC,?,00000001,00882592,?), ref: 008B034B
CloseHandle.KERNEL32(?,?,?,?,008B017D,?,008B32FC,?,00000001,00882592,?), ref: 008B0358
CloseHandle.KERNEL32(?,?,?,?,008B017D,?,008B32FC,?,00000001,00882592,?), ref: 008B0365

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 36f468abc71af635f99eb572cfb3dc0041ac1b3d6f0d8b778c60d9649d1f4503
Instruction ID: b8542fc032414ede448b178c153d79f51ed5faa1021667e607c4196c6ea5487e
Opcode Fuzzy Hash: 36f468abc71af635f99eb572cfb3dc0041ac1b3d6f0d8b778c60d9649d1f4503
Instruction Fuzzy Hash: BD019C72801B159FCB30AF66D890857FBF9FE642153158A3FD19692A31C7B1A998CE80

Function 0087D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0087D752

Part of subcall function 008729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000), ref: 008729DE
Part of subcall function 008729C8: GetLastError.KERNEL32(00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000,00000000), ref: 008729F0

_free.LIBCMT ref: 0087D764
_free.LIBCMT ref: 0087D776
_free.LIBCMT ref: 0087D788
_free.LIBCMT ref: 0087D79A

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 60c95a0b61fb7af508d21e8570cbef2fed80e8c1a8108f8287ac37708158abfb
Instruction ID: 98d68e6f5f1b5aa26316e0b2ce7b8e7e352ac0d74aa49ad575efca712e9b798b
Opcode Fuzzy Hash: 60c95a0b61fb7af508d21e8570cbef2fed80e8c1a8108f8287ac37708158abfb
Instruction Fuzzy Hash: EBF04F72514304ABC629EB78F9C1E16BBEDFF44350B988805F54CE750AC720FC809665

Function 008A5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 008A5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 008A5C6F
MessageBeep.USER32(00000000), ref: 008A5C87
KillTimer.USER32(?,0000040A), ref: 008A5CA3
EndDialog.USER32(?,00000001), ref: 008A5CBD

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: e4286f0a5db2c6e6d7857d43045cd4d9dff0d2b04fe988e12c414e4c0d77c7cb
Instruction ID: 504f6dca5beab07097026353e0a0e7080028491e014e343bb72f113e8354076f
Opcode Fuzzy Hash: e4286f0a5db2c6e6d7857d43045cd4d9dff0d2b04fe988e12c414e4c0d77c7cb
Instruction Fuzzy Hash: 8B018170501B05ABFB205B50ED4EFA677B8FB11B15F00175EE683E18E1DBF4A984CA91

Function 008722A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008722BE

Part of subcall function 008729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000), ref: 008729DE
Part of subcall function 008729C8: GetLastError.KERNEL32(00000000,?,0087D7D1,00000000,00000000,00000000,00000000,?,0087D7F8,00000000,00000007,00000000,?,0087DBF5,00000000,00000000), ref: 008729F0

_free.LIBCMT ref: 008722D0
_free.LIBCMT ref: 008722E3
_free.LIBCMT ref: 008722F4
_free.LIBCMT ref: 00872305

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ebda9a38504068ae9ba5d03b8724261b31f9498fc09973c416d3f4b282ea0621
Instruction ID: b9af7b34fff479d7019f13c8b15b5ab2add23eec2a535b7a4cbdd3e8a12ec8bf
Opcode Fuzzy Hash: ebda9a38504068ae9ba5d03b8724261b31f9498fc09973c416d3f4b282ea0621
Instruction Fuzzy Hash: CAF030B05291119BC712AF68BD02E887F64F718751B05CA06F518D23B9C7768492FBA5

Function 008595C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008595D4
StrokeAndFillPath.GDI32(?,?,008971F7,00000000,?,?,?), ref: 008595F0
SelectObject.GDI32(?,00000000), ref: 00859603
DeleteObject.GDI32 ref: 00859616
StrokePath.GDI32(?), ref: 00859631

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 28a7d0d759600ad485ff25590a59d44a0a097b87651090a189380fdee7daccbe
Instruction ID: 286d91f559947828e0b2e27686ed04d90d510e56b00b579332f3f933d0f98e88
Opcode Fuzzy Hash: 28a7d0d759600ad485ff25590a59d44a0a097b87651090a189380fdee7daccbe
Instruction Fuzzy Hash: 48F0193011A609EBDF125F65ED187A43BA1FB10362F448315FA65950F0D73089A9EF20

Function 00870F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008710F9
__freea.LIBCMT ref: 00871117

Part of subcall function 00871537: _free.LIBCMT ref: 0087154F

Strings

am/pm, xrefs: 0087117A
a/p, xrefs: 008711DE

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 3b01a1bf8ffe237616d01b685b3c11950cc194373359be5d952620c2f11f30e2
Instruction ID: 202f8ad519f2b60dbbf7fbd5fc7f8dc2bd065ad9114f7665ee51491628e24e28
Opcode Fuzzy Hash: 3b01a1bf8ffe237616d01b685b3c11950cc194373359be5d952620c2f11f30e2
Instruction Fuzzy Hash: 71D1E03191020ACADF248F6CC89DABAB7B5FF15704F288119E509EBE59D339DD80CB61

Function 008C7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00860242: EnterCriticalSection.KERNEL32(0091070C,00911884,?,?,0085198B,00912518,?,?,?,008412F9,00000000), ref: 0086024D
Part of subcall function 00860242: LeaveCriticalSection.KERNEL32(0091070C,?,0085198B,00912518,?,?,?,008412F9,00000000), ref: 0086028A

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Part of subcall function 008600A3: __onexit.LIBCMT ref: 008600A9

__Init_thread_footer.LIBCMT ref: 008C7BFB

Part of subcall function 008601F8: EnterCriticalSection.KERNEL32(0091070C,?,?,00858747,00912514), ref: 00860202
Part of subcall function 008601F8: LeaveCriticalSection.KERNEL32(0091070C,?,00858747,00912514), ref: 00860235

Strings

Variable must be of type 'Object'., xrefs: 008C7C3A
5, xrefs: 008C7C78
G, xrefs: 008C7C7F

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 1a5833bf458388b01ae23b879c57f9e2f8df942d2a22fdf89db928e5fe03ae6f
Instruction ID: ae8ed172a12cd6aadb02f96ac5ac27dca608d023a4070672789442b087de14fe
Opcode Fuzzy Hash: 1a5833bf458388b01ae23b879c57f9e2f8df942d2a22fdf89db928e5fe03ae6f
Instruction Fuzzy Hash: 0E914670A04209AFCB14EF98D891EADB7B1FF49304F10815DF9069B292DB71EE85DB52

Function 008A2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008AB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008A21D0,?,?,00000034,00000800,?,00000034), ref: 008AB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 008A2760

Part of subcall function 008AB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008A21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 008AB3F8

Part of subcall function 008AB32A: GetWindowThreadProcessId.USER32(?,?), ref: 008AB355
Part of subcall function 008AB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,008A2194,00000034,?,?,00001004,00000000,00000000), ref: 008AB365
Part of subcall function 008AB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,008A2194,00000034,?,?,00001004,00000000,00000000), ref: 008AB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008A27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008A281A

Strings

@, xrefs: 008A2832

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: fc7692e3da63493b7d9504be5ac240b45e9ea4212fd32420014924900980352d
Instruction ID: 6e84badf8fe17f524245d96c9215131071923775bdf3dc03848a8b93ff8a1700
Opcode Fuzzy Hash: fc7692e3da63493b7d9504be5ac240b45e9ea4212fd32420014924900980352d
Instruction Fuzzy Hash: 62412E72901218AFDB10DFA8CD45ADEBBB8FF0A700F104059FA55B7181DB746E45CB61

Function 0087172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00871769
_free.LIBCMT ref: 00871834
_free.LIBCMT ref: 0087183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00871760, 00871767, 00871796, 008717CE

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: a831b075aea5f6d070891dc48ee52d44f2c52ea7b846462125eccc8b04ef83e3
Instruction ID: a26a8ab4578fbfbf8714bddca876d7188e3eb17277bcc220e3e3cc3b7e50ebd9
Opcode Fuzzy Hash: a831b075aea5f6d070891dc48ee52d44f2c52ea7b846462125eccc8b04ef83e3
Instruction Fuzzy Hash: 8C319D71A04218ABDF21DF9D9889E9EBBFCFB85350B148166E908D7619D6B0CA40CB91

Function 008AC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008AC306
DeleteMenu.USER32(?,00000007,00000000), ref: 008AC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00911990,00DD5580), ref: 008AC395

Strings

0, xrefs: 008AC2DF

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 1935ff95880de1e62bf52c9d3f2868bd2147775e4922536dbe963855a2193227
Instruction ID: 5a27a97daf8c540ac8c90dc3c877dafb541408d5b255061a947057f4774085af
Opcode Fuzzy Hash: 1935ff95880de1e62bf52c9d3f2868bd2147775e4922536dbe963855a2193227
Instruction Fuzzy Hash: 26418F312083019FEB24DF29D845B5ABBE8FF86314F14865DF9A5D7391D770A904CB52

Function 008D4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,008DCC08,00000000,?,?,?,?), ref: 008D44AA
GetWindowLongW.USER32 ref: 008D44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008D44D7

Strings

SysTreeView32, xrefs: 008D447C

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 32d3152628f05482a7e04ffcf87cb5ca6c4abc1eed1b6fa0ab42a3dc027b8c3f
Instruction ID: 7b9af91c9ed147eb51449d3fb042d15be28341dc329357a2b1be7f3b6c84216e
Opcode Fuzzy Hash: 32d3152628f05482a7e04ffcf87cb5ca6c4abc1eed1b6fa0ab42a3dc027b8c3f
Instruction Fuzzy Hash: 60317C31211606AFDB208E38EC45BEA7BAAFB08334F205716F975E22D0D770EC909750

Function 008C304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008C335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,008C3077,?,?), ref: 008C3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 008C307A
_wcslen.LIBCMT ref: 008C309B
htons.WSOCK32(00000000,?,?,00000000), ref: 008C3106

Strings

255.255.255.255, xrefs: 008C3095, 008C309A

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: e7f9eccf500efb35aa2c8cd2ef104ccb92fe9c320199ddacceae9e7ea749fc35
Instruction ID: d1836353885a71d165b9e98bd3350ef65582d6085628656c1d8e8e2e3fe4e51c
Opcode Fuzzy Hash: e7f9eccf500efb35aa2c8cd2ef104ccb92fe9c320199ddacceae9e7ea749fc35
Instruction Fuzzy Hash: AD316B366042059FCB20CF68C585FAA77B0FF54318F29C15AE916CB292DB72EE46C761

Function 008D3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 008D3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 008D3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 008D3F78

Strings

SysMonthCal32, xrefs: 008D3F0B

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 4854c16c1e3886da759bfb6b60859245a866e1364f3cae12078a31d23ffe8770
Instruction ID: 47301d880318e1f3bf71e92370c2144e5e0362d9609203ac01348291a307ea0a
Opcode Fuzzy Hash: 4854c16c1e3886da759bfb6b60859245a866e1364f3cae12078a31d23ffe8770
Instruction Fuzzy Hash: 01218B32610219BFDF218F94DC46FEA3B79FB48724F110215FA15AB2D0DAB1A950CBA1

Function 008D4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 008D4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 008D4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 008D471A

Strings

msctls_updown32, xrefs: 008D4684

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 83d6b30236ad8de69a5dea0660fca920075a546e2fa945c512780cae1caa204b
Instruction ID: 6cbf4edb28fc866ff116c5e50f540e491dd39db789c945796645b073cf1bd3d4
Opcode Fuzzy Hash: 83d6b30236ad8de69a5dea0660fca920075a546e2fa945c512780cae1caa204b
Instruction Fuzzy Hash: EC218EB5604209AFEB10DF68ECC1DA737ADFB5A3A4B00114AFA01DB391DB30EC11CA61

Function 008A95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008A961D

Strings

#OnAutoItStartRegister, xrefs: 008A95F3
#notrayicon, xrefs: 008A95B7
#requireadmin, xrefs: 008A95D9

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: cbe7e3108eb5eb5bc04a1088123deecb7981b2c70bbc76094f10abed55dfd871
Instruction ID: 8406dbaac1a70e1145ccd2b345d364696742f6a53e44f0eb36065ebf592494a7
Opcode Fuzzy Hash: cbe7e3108eb5eb5bc04a1088123deecb7981b2c70bbc76094f10abed55dfd871
Instruction Fuzzy Hash: AB215B32508114A6E331AB289C03FBB73D8FF62314F104426FA8AD7982EB559D51C296

Function 008D37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 008D3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 008D3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 008D3876

Strings

Listbox, xrefs: 008D380F

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: e0f063a4bc7f51146e5000f83f95145a1b3d01ce5ab78b51099996bcb39e6c7d
Instruction ID: 4ba85ded34726de86136c6f729d647d3778ca4f62a929e42c1b2f15c898da5be
Opcode Fuzzy Hash: e0f063a4bc7f51146e5000f83f95145a1b3d01ce5ab78b51099996bcb39e6c7d
Instruction Fuzzy Hash: CD21B072610119BBEF119F54DC45FAB376AFF89754F108225F900AB290CA71DC5197A1

Function 008B49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008B4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 008B4A5C
SetErrorMode.KERNEL32(00000000,?,?,008DCC08), ref: 008B4AD0

Strings

%lu, xrefs: 008B4A6F

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 740d7cb2e7ce108cac964e1b5b515d7adb0c8edb4b8768fd6af2282c76a0138d
Instruction ID: 41b9b3968ff91289175b8d27714a09fb2df91f5a4e822199a33fe44de6bf69c3
Opcode Fuzzy Hash: 740d7cb2e7ce108cac964e1b5b515d7adb0c8edb4b8768fd6af2282c76a0138d
Instruction Fuzzy Hash: 83313075A00119AFDB10DF58C985EAA77F8FF04308F1440A5E905DB352D771ED45CB61

Function 008D41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 008D424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 008D4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 008D4271

Strings

msctls_trackbar32, xrefs: 008D4226

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 5cece56a4c7716973e3be5f36052d5106979e58ca9293ff3f5313e7009c53ecb
Instruction ID: c4f5b973d0b89f8393f9325d07f476205f3fe74dfb5e653b221e2cbd2f3f256e
Opcode Fuzzy Hash: 5cece56a4c7716973e3be5f36052d5106979e58ca9293ff3f5313e7009c53ecb
Instruction Fuzzy Hash: 7F11E031240208BFEF205E68CC06FAB3BACFF95B64F110225FA55E21A0D671D8619B20

Function 008A2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00846B57: _wcslen.LIBCMT ref: 00846B6A

Part of subcall function 008A2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 008A2DC5
Part of subcall function 008A2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 008A2DD6
Part of subcall function 008A2DA7: GetCurrentThreadId.KERNEL32 ref: 008A2DDD
Part of subcall function 008A2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 008A2DE4

GetFocus.USER32 ref: 008A2F78

Part of subcall function 008A2DEE: GetParent.USER32(00000000), ref: 008A2DF9

GetClassNameW.USER32(?,?,00000100), ref: 008A2FC3
EnumChildWindows.USER32(?,008A303B), ref: 008A2FEB

Strings

%s%d, xrefs: 008A2FFF

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 435b04244255ecedbf238563476701f877f851ded4b15b1a291a4e24d2186d71
Instruction ID: 757dff32f3d17916479deda644e35c4e211c79843d7e85abcc6cb2ef642c659f
Opcode Fuzzy Hash: 435b04244255ecedbf238563476701f877f851ded4b15b1a291a4e24d2186d71
Instruction Fuzzy Hash: 7711A5716002096BDF147F689C85EEE776AFF95314F044075FD09DB292EE309945CB61

Function 008D5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008D58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008D58EE
DrawMenuBar.USER32(?), ref: 008D58FD

Strings

0, xrefs: 008D588F

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 68d65d06067c2aff9957d53c364daf4a8f6ce6ad4b6cede1555d0f88bb5fdc33
Instruction ID: 44abfbaa874ee88946a3fa55c4aa2b40be48820a09b4802b187bec8f4a868363
Opcode Fuzzy Hash: 68d65d06067c2aff9957d53c364daf4a8f6ce6ad4b6cede1555d0f88bb5fdc33
Instruction Fuzzy Hash: 3D015B31500218EEDB219F15EC45FAEBBB9FB45361F10819BE949DA251DB308A84DF21

Function 008A007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 390949112028b52ada917c3126e759b3ce240e6b9bb2a79ca3d3bd9aa591c9f4
Instruction ID: b335621a77aa13045b61a4e28e06b6c538567388c538623e875bf855da43df9b
Opcode Fuzzy Hash: 390949112028b52ada917c3126e759b3ce240e6b9bb2a79ca3d3bd9aa591c9f4
Instruction Fuzzy Hash: B7C13875A0020AAFEB15CFA8C894BAEB7B5FF49704F208598E505EB251D771EE41CF90

Function 00873E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00873F0B
__alldvrm.LIBCMT ref: 0087410C
__alldvrm.LIBCMT ref: 0087412E

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 98b721e36a1db9dc50126155c98a02717873ab0555b24d8b88effa3f977d100e
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 9AA14672E007869FDB21DE18C8917AEBBE4FF61390F18816DE599DB285C738C981C752

Function 008C342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 008C3459
CoUninitialize.OLE32 ref: 008C3463
VariantInit.OLEAUT32(?), ref: 008C346E
VariantClear.OLEAUT32(?), ref: 008C371B

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: f7b3985b8f8b2c4b917348bb187bc7d31336d5c9b522896bf67ad5b7727f350c
Instruction ID: ccaf0426f14dd8fc4dbb2016e1ad991ba1fe6896748cd42dc43ef89c7cb45113
Opcode Fuzzy Hash: f7b3985b8f8b2c4b917348bb187bc7d31336d5c9b522896bf67ad5b7727f350c
Instruction Fuzzy Hash: B7A1F2756046159FCB10DF28C485E2AB7E5FF88714F05885DF98ADB362DB30EE058B92

Function 008A0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,008DFC08,?), ref: 008A05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,008DFC08,?), ref: 008A0608
CLSIDFromProgID.OLE32(?,?,00000000,008DCC40,000000FF,?,00000000,00000800,00000000,?,008DFC08,?), ref: 008A062D
_memcmp.LIBVCRUNTIME ref: 008A064E

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 0a84847a74378118723e4ed6a2245f6140c332291e3e48e42483a21f5f5ada37
Instruction ID: 2ddfad6d0d1cbbb1a9a161df8b1d706ea42b33086d86c7e26237535224caca3d
Opcode Fuzzy Hash: 0a84847a74378118723e4ed6a2245f6140c332291e3e48e42483a21f5f5ada37
Instruction Fuzzy Hash: 5C810771A00209AFDB04DF94C984EEEB7B9FF89315F204558E516EB250DB71AE06CF61

Function 008CA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008CA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 008CA6BA

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Process32NextW.KERNEL32(00000000,?), ref: 008CA79C
CloseHandle.KERNEL32(00000000), ref: 008CA7AB

Part of subcall function 0085CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00883303,?), ref: 0085CE8A

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 6a245cb2d479c66195dceebe2e90718b22b1b5f24bde1bd4274e989a80f9f9d2
Instruction ID: 1e03f7f4288b971510da646963b619059433479d2b7dd62379d9e4fbe86bc9ed
Opcode Fuzzy Hash: 6a245cb2d479c66195dceebe2e90718b22b1b5f24bde1bd4274e989a80f9f9d2
Instruction Fuzzy Hash: 77511571508315AFD714EF28C886A6BBBE8FF89754F00492DF985D7252EB70E904CB92

Function 00881391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008814C0

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 282fc964090afccc19498a1c260b48f1dbe8d29d9b84f9db23e57a37ec37b739
Instruction ID: 4431e2261aea08352f424192b52b445669d0347592baa32c32f61c8be6bf5f12
Opcode Fuzzy Hash: 282fc964090afccc19498a1c260b48f1dbe8d29d9b84f9db23e57a37ec37b739
Instruction Fuzzy Hash: 26413631A00104ABDF217BBC9C89AAE3BAEFF41330F144225F519D6292EE7488425767

Function 008D6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008D62E2
ScreenToClient.USER32(?,?), ref: 008D6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 008D6382

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 4fdccacb6aa544535bb45505113c884fde01671ccd05057db36d5c7fafb843a4
Instruction ID: 20405bc296ecad2c8d77da915bcd64e84c59442290180254ee9e8689e000513b
Opcode Fuzzy Hash: 4fdccacb6aa544535bb45505113c884fde01671ccd05057db36d5c7fafb843a4
Instruction Fuzzy Hash: DD511A74A00209AFCB14DF68D8809AE7BB6FB55364F10826AF925DB390E770ED51CB90

Function 008C1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 008C1AFD
WSAGetLastError.WSOCK32 ref: 008C1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 008C1B8A
WSAGetLastError.WSOCK32 ref: 008C1B94

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 3b253e1bc7a61a5e6f1c6eb3dc4731fa1ef957e7a7c61beaffedd0b079a10dde
Instruction ID: 220bf536da70d20e4a7cfba8c537ba81dca5924475717bde4e6e951ace28eea3
Opcode Fuzzy Hash: 3b253e1bc7a61a5e6f1c6eb3dc4731fa1ef957e7a7c61beaffedd0b079a10dde
Instruction Fuzzy Hash: 3C417D34640201AFEB20AF28C88AF2977A5FB45718F54855CF91ADF393D772DD428B91

Function 0087B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e423a05755f770dd7a0fecc6e58e0d7df84b618513bef879edd87dd1defbb04f
Instruction ID: 446e11560afa2f1d55fc85014417df96e22f55e59bc93a666fdaa61477b5ee0c
Opcode Fuzzy Hash: e423a05755f770dd7a0fecc6e58e0d7df84b618513bef879edd87dd1defbb04f
Instruction Fuzzy Hash: 25410671A00304AFD724AF7CCC45B6ABBFAFB88710F10852AF559DB296D771D9018781

Function 008B56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 008B5783
GetLastError.KERNEL32(?,00000000), ref: 008B57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008B57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008B57FA

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 93d04d043217d94ce73a2a9036123029f93e5da3535de6a7bb7ec7eefb9db4aa
Instruction ID: 3658e83e46cad2fc518b9f56e4e792865015fa923d16abcff7287a5bbd5c3f7c
Opcode Fuzzy Hash: 93d04d043217d94ce73a2a9036123029f93e5da3535de6a7bb7ec7eefb9db4aa
Instruction Fuzzy Hash: 83411E35600615DFCB11EF19C544A5EBBE1FF49320B198898E84A9F362CB35FD40CB92

Function 0087D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00866D71,00000000,00000000,008682D9,?,008682D9,?,00000001,00866D71,8BE85006,00000001,008682D9,008682D9), ref: 0087D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0087D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0087D9AB
__freea.LIBCMT ref: 0087D9B4

Part of subcall function 00873820: RtlAllocateHeap.NTDLL(00000000,?,00911444,?,0085FDF5,?,?,0084A976,00000010,00911440,008413FC,?,008413C6,?,00841129), ref: 00873852

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 52f0c71e94abd6f1d4a25a99a19159122f2cf391c25e3070b3585f3b58921c64
Instruction ID: 3d462e51507f135f9191eaab323699d681328d38cc641d3f0776513bc7a1cf7f
Opcode Fuzzy Hash: 52f0c71e94abd6f1d4a25a99a19159122f2cf391c25e3070b3585f3b58921c64
Instruction Fuzzy Hash: E131CD72A0021AABDF249F69DC41EAE7BB5FF40314B058268FD08DA254EB35CD50CB91

Function 008D52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 008D5352
GetWindowLongW.USER32(?,000000F0), ref: 008D5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008D5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008D53A8

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: dcaa77c2827ec51f6bbe494a5dea5a888655d19c360ed58804af5285d7a21566
Instruction ID: f91c0f287e1627273c8150c899d4b038e4959a4c608619fa42b0c6308691cb97
Opcode Fuzzy Hash: dcaa77c2827ec51f6bbe494a5dea5a888655d19c360ed58804af5285d7a21566
Instruction Fuzzy Hash: 2E31A234A95A0CEFEB389A14CC55BE97765FB06390F584307FA11D63E1C7B09950EB42

Function 008AAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 008AABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 008AAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 008AAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 008AACC6

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: db98155b75fc6e5fe2487947fa9292371cf4b178109fa64100f914482776cdc3
Instruction ID: 02073510e1c536c35c817508412b23591d7643cead98cb6e62f3704d41319b7e
Opcode Fuzzy Hash: db98155b75fc6e5fe2487947fa9292371cf4b178109fa64100f914482776cdc3
Instruction Fuzzy Hash: EE31F630A44618AFFF298B65C8087FA7BA6FB86330F04431AE485D2DD1D3758985D752

Function 008D7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 008D769A
GetWindowRect.USER32(?,?), ref: 008D7710
PtInRect.USER32(?,?,008D8B89), ref: 008D7720
MessageBeep.USER32(00000000), ref: 008D778C

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 943fa9fa53a42fdb7f1f3f56a619c3ca7d0ead4176256ea2f5b47926952b32e9
Instruction ID: 7ebb48dfec8fc6ab038c72485dc46b9b5b90ba95a3380a814b04fc44e14a4654
Opcode Fuzzy Hash: 943fa9fa53a42fdb7f1f3f56a619c3ca7d0ead4176256ea2f5b47926952b32e9
Instruction Fuzzy Hash: 4E419A38A09255AFDB01CF58D894EA9B7F4FB48314F1486AAE925DB361E330E941CB90

Function 008D16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008D16EB

Part of subcall function 008A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008A3A57
Part of subcall function 008A3A3D: GetCurrentThreadId.KERNEL32 ref: 008A3A5E
Part of subcall function 008A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008A25B3), ref: 008A3A65

GetCaretPos.USER32(?), ref: 008D16FF
ClientToScreen.USER32(00000000,?), ref: 008D174C
GetForegroundWindow.USER32 ref: 008D1752

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f5d56e41c895b716c93138e9c13139e702d1ac3b40677e55572e22ae01ea35f6
Instruction ID: 42e940789f37126620f4837231a355c49ebf81eaf708678e3309d8db22738504
Opcode Fuzzy Hash: f5d56e41c895b716c93138e9c13139e702d1ac3b40677e55572e22ae01ea35f6
Instruction Fuzzy Hash: 4D313075D01249AFDB00EFA9C885CAEB7FDFF49304B5080AAE415E7211EB359E45CBA1

Function 008ADF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00847620: _wcslen.LIBCMT ref: 00847625

_wcslen.LIBCMT ref: 008ADFCB
_wcslen.LIBCMT ref: 008ADFE2
_wcslen.LIBCMT ref: 008AE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 008AE018

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: a691f44b8e1ff0bc469580c9af0bb5eb88c837ae066a0c69d7e04e8d214c1637
Instruction ID: 5940168544080a2c2c5fdd74071f483a47a3ac6c218d83079464bc8eb6aa281a
Opcode Fuzzy Hash: a691f44b8e1ff0bc469580c9af0bb5eb88c837ae066a0c69d7e04e8d214c1637
Instruction Fuzzy Hash: CF21D371900614AFDB10EFA8D982BAEBBF8FF46750F114065E905FB246D6709E40CBA2

Function 008D8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

GetCursorPos.USER32(?), ref: 008D9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00897711,?,?,?,?,?), ref: 008D9016
GetCursorPos.USER32(?), ref: 008D905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00897711,?,?,?), ref: 008D9094

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: dbbe0940db01b576749c977fe3810d9ea5acd179ff6cf0497983e8509adf3c51
Instruction ID: 3de608cd3d475471fb792f181564365be2df9d947503787922d499c6f9ae37c0
Opcode Fuzzy Hash: dbbe0940db01b576749c977fe3810d9ea5acd179ff6cf0497983e8509adf3c51
Instruction Fuzzy Hash: D021BF35600418FFCB259F94E858EEA3BF9FF49360F048256F94587261C3319D90EB60

Function 008AD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,008DCB68), ref: 008AD2FB
GetLastError.KERNEL32 ref: 008AD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 008AD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,008DCB68), ref: 008AD376

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: ef75f2a6a30a3f5a10e6db74f3dbb0ff23d419d4b5312495c8da90481afee490
Instruction ID: 70fc7b7f4d99ffcdf3700f023f3550dfa6baffd0b52607b1b2e655ac3b0fb77e
Opcode Fuzzy Hash: ef75f2a6a30a3f5a10e6db74f3dbb0ff23d419d4b5312495c8da90481afee490
Instruction Fuzzy Hash: 8F218D705097069F9B10DF28C8818AEB7E4FE56324F104A1EF4AAC77A1E730D946CB93

Function 008A1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008A102A
Part of subcall function 008A1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008A1036
Part of subcall function 008A1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008A1045
Part of subcall function 008A1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008A104C
Part of subcall function 008A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008A1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008A15BE
_memcmp.LIBVCRUNTIME ref: 008A15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008A1617
HeapFree.KERNEL32(00000000), ref: 008A161E

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: ad92bb55ed0c15b2b4f61a8b9bd5e39b0ab6a9e676e29d73da1a607135dff9e5
Instruction ID: 25f533a49e188b6ebed7792fb84f735cd888c2a4151e6bceb8842cb1244df3e3
Opcode Fuzzy Hash: ad92bb55ed0c15b2b4f61a8b9bd5e39b0ab6a9e676e29d73da1a607135dff9e5
Instruction Fuzzy Hash: 65215531E41109EBEF00DFA4C949BEEB7B8FF55344F084459E441EB241E730AA05CBA0

Function 008D2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 008D280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 008D2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 008D2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 008D2840

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 2e4079010b0597f90e7199d03c267a1f3c62069473220e91bfacf8c840b8bf19
Instruction ID: 0f1b91aee92f366902528d8d4b3c0328c6ec9ac04728164ed6d68934b7bb99f3
Opcode Fuzzy Hash: 2e4079010b0597f90e7199d03c267a1f3c62069473220e91bfacf8c840b8bf19
Instruction Fuzzy Hash: 6F21AE31205115AFD7149B28C844FAA7BA5FF55324F14835AE426CB7A2CB71EC42C791

Function 008A78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 008A8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,008A790A,?,000000FF,?,008A8754,00000000,?,0000001C,?,?), ref: 008A8D8C
Part of subcall function 008A8D7D: lstrcpyW.KERNEL32(00000000,?,?,008A790A,?,000000FF,?,008A8754,00000000,?,0000001C,?,?,00000000), ref: 008A8DB2
Part of subcall function 008A8D7D: lstrcmpiW.KERNEL32(00000000,?,008A790A,?,000000FF,?,008A8754,00000000,?,0000001C,?,?), ref: 008A8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,008A8754,00000000,?,0000001C,?,?,00000000), ref: 008A7923
lstrcpyW.KERNEL32(00000000,?,?,008A8754,00000000,?,0000001C,?,?,00000000), ref: 008A7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,008A8754,00000000,?,0000001C,?,?,00000000), ref: 008A7984

Strings

cdecl, xrefs: 008A797B

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: efdf36e78221554fd721c1f8051904699ea1dfc469b4a2ee61eafedf021e556f
Instruction ID: 0c06421eb0c4e1ddc0f6fd11a48635e097edfb52f16c1fb1998c687cc128fcd4
Opcode Fuzzy Hash: efdf36e78221554fd721c1f8051904699ea1dfc469b4a2ee61eafedf021e556f
Instruction Fuzzy Hash: 7911293A201302AFEB155F38CC45E7B7BA9FF86350B00402BF902CB6A4EB359811D7A1

Function 008D7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 008D7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 008D7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 008D7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,008BB7AD,00000000), ref: 008D7D6B

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: b1e3fe526d622660b9e5eed036642d539510de329e77cad3f4bf8b93536dedb7
Instruction ID: 70687a23cc89f8e3a165bf64587bcff01b3fb856f35157a673f2f66f02173b89
Opcode Fuzzy Hash: b1e3fe526d622660b9e5eed036642d539510de329e77cad3f4bf8b93536dedb7
Instruction Fuzzy Hash: 2C11AF31619615AFCB109F28DC04EAA3BA6FF45370B15872AF93AC72F0E7309951DB50

Function 008D5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 008D56BB
_wcslen.LIBCMT ref: 008D56CD
_wcslen.LIBCMT ref: 008D56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 008D5816

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: a7e157d922216dfc109f3c58a7ded19fcc03b925d1dd547dad0d4048a8c655a8
Instruction ID: 1f656b9ae6c8a18fb94e6bed02f446241b3081945ebf0eb3b419210f95d1ac95
Opcode Fuzzy Hash: a7e157d922216dfc109f3c58a7ded19fcc03b925d1dd547dad0d4048a8c655a8
Instruction Fuzzy Hash: F111D671600608A6DB209F65DC85EEE7B6CFF10764F10426BF915D6281EB70C984CF65

Function 00871D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b80494099b97ae35fe8837957e05395e48d8d9370dae0637e5df4a99c385f2
Instruction ID: ee03e256d1f52d84d98508be2b1f5e18d59c1492482f7953133794cbaadefa40
Opcode Fuzzy Hash: 21b80494099b97ae35fe8837957e05395e48d8d9370dae0637e5df4a99c385f2
Instruction Fuzzy Hash: 14017CB220961A3EEE21167C6CC5F676B1CFF813B8B388326F529E15DADB60CC409560

Function 008A1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 008A1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008A1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008A1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008A1A8A

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bc723686e44f83d510c2f4ee8a6b704cd556c57313295a439c07fbc97cfc67ac
Instruction ID: 683092f13a7ad8de4a1464e25afadc66bd93351a81c370b957810ccb16bbb78e
Opcode Fuzzy Hash: bc723686e44f83d510c2f4ee8a6b704cd556c57313295a439c07fbc97cfc67ac
Instruction Fuzzy Hash: C611FA3A901229FFEF119BA5C985FADBB78FB05750F200095E604B7290D7716E50DB94

Function 008AE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008AE1FD
MessageBoxW.USER32(?,?,?,?), ref: 008AE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 008AE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008AE24D

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 2039ecc9050771a170e3a9db5c982e048586f88643eb2cdd647d0cb1b78e6297
Instruction ID: 28f3dcf3d5b2029065b4aae40ef99e526e89a8756fbd72a0d3bfa39ce36e519b
Opcode Fuzzy Hash: 2039ecc9050771a170e3a9db5c982e048586f88643eb2cdd647d0cb1b78e6297
Instruction Fuzzy Hash: CE11C876A04259BBDB119FA89C09BDE7FACFB46320F048756F924D3291D6749904C7A0

Function 0086D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0086CFF9,00000000,00000004,00000000), ref: 0086D218
GetLastError.KERNEL32 ref: 0086D224
__dosmaperr.LIBCMT ref: 0086D22B
ResumeThread.KERNEL32(00000000), ref: 0086D249

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 5079dedcb17251a0ad335ba06b4da8af051d1e489f27e9bf053f2afd97ff2034
Instruction ID: d8b52fa73d99b8d1d0d92ebf779549b5e0bf3f4fe5804f41722b94464036e214
Opcode Fuzzy Hash: 5079dedcb17251a0ad335ba06b4da8af051d1e489f27e9bf053f2afd97ff2034
Instruction Fuzzy Hash: 5D01C036E05208BBCB115BA9DC09AAA7B69FF82330F124319F925D62D1CFB1D941C6A1

Function 008D9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00859BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00859BB2

GetClientRect.USER32(?,?), ref: 008D9F31
GetCursorPos.USER32(?), ref: 008D9F3B
ScreenToClient.USER32(?,?), ref: 008D9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 008D9F7A

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 1b99d30ad8b90912b4dda6bd90712e61fdc2574657c9e9339d41da33562252b7
Instruction ID: d573a82df93a69f6465738331faccc18a8c4cc89b6ef7989b2f0724142210d78
Opcode Fuzzy Hash: 1b99d30ad8b90912b4dda6bd90712e61fdc2574657c9e9339d41da33562252b7
Instruction Fuzzy Hash: 91112A32A0111ABBDB10DF68D845DEE77B9FF45311F404656F951E3250DB30BA81CBA2

Function 0084600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0084604C
GetStockObject.GDI32(00000011), ref: 00846060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0084606A

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 404ceb5f8f1a6260f52f0a85cddabfe5a93d30b540dbee077a42e89961a34219
Instruction ID: d1bffd63da7f2883aa23fc8c3934f2dc35935d7d60c881f0bec8b10e92723ff3
Opcode Fuzzy Hash: 404ceb5f8f1a6260f52f0a85cddabfe5a93d30b540dbee077a42e89961a34219
Instruction Fuzzy Hash: AC11617250290DBFEF125F94DC44EEABBA9FF19365F040216FA14A2120D732DC60DB91

Function 00863B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00863B56

Part of subcall function 00863AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00863AD2
Part of subcall function 00863AA3: ___AdjustPointer.LIBCMT ref: 00863AED

_UnwindNestedFrames.LIBCMT ref: 00863B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00863B7C
CallCatchBlock.LIBVCRUNTIME ref: 00863BA4

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: d77087c849c7f657605d145df2d52d6f49582902c23c90d0002055364431ede1
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 1501E932100149BBDF125E99CC46EEF7B6AFF59764F064014FE48A6121C732E961EBA1

Function 00873073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008413C6,00000000,00000000,?,0087301A,008413C6,00000000,00000000,00000000,?,0087328B,00000006,FlsSetValue), ref: 008730A5
GetLastError.KERNEL32(?,0087301A,008413C6,00000000,00000000,00000000,?,0087328B,00000006,FlsSetValue,008E2290,FlsSetValue,00000000,00000364,?,00872E46), ref: 008730B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0087301A,008413C6,00000000,00000000,00000000,?,0087328B,00000006,FlsSetValue,008E2290,FlsSetValue,00000000), ref: 008730BF

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: e8e36108647695751d5168312c9bc7c2f05d6b0b5dd66703dca70a19cd64e39b
Instruction ID: 01ce397e58e4b529cb5f72b15f75332a6b66961314b3afb80f164296f7477132
Opcode Fuzzy Hash: e8e36108647695751d5168312c9bc7c2f05d6b0b5dd66703dca70a19cd64e39b
Instruction Fuzzy Hash: 50012B32356A37ABCB314B789C449577B98FF45B61B208720F90DE7294D721D901D6E1

Function 008A7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 008A747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 008A7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008A74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008A74CA

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: e0521830793c13cc96815258aa19479f1232f369c3994bdd5bc9162365c6b34f
Instruction ID: 241db7d29e12e9d9d056a6812db654c72b00936ce7d695196695c29f6e564d8a
Opcode Fuzzy Hash: e0521830793c13cc96815258aa19479f1232f369c3994bdd5bc9162365c6b34f
Instruction Fuzzy Hash: 4711A1B12063169FF7208F14DC08B927BFCFB05B04F10856AE616D6551E7B0E944EB94

Function 008AB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,008AACD3,?,00008000), ref: 008AB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,008AACD3,?,00008000), ref: 008AB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,008AACD3,?,00008000), ref: 008AB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,008AACD3,?,00008000), ref: 008AB126

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c560876fcb358a4db3414897d9bba90a527de8052352addfaf9d9ff5c43f33aa
Instruction ID: bc4ff8cd5d1d7261a43eaf72ad70f5eaaf71e7433a972126ad27776ff04d078c
Opcode Fuzzy Hash: c560876fcb358a4db3414897d9bba90a527de8052352addfaf9d9ff5c43f33aa
Instruction Fuzzy Hash: 2B113931D0192DEBDF00AFE4E9986EEBF78FF0A711F104196D941B2282DB305650CB51

Function 008D7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008D7E33
ScreenToClient.USER32(?,?), ref: 008D7E4B
ScreenToClient.USER32(?,?), ref: 008D7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 008D7E8A

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: fb89b079744f93baae99f08150b5b97f067f457c0161e9d529398c10d80e8980
Instruction ID: b05476cce1704d0d80ae6f75382998ac49b51bc565390681abbba5fe5fbb5783
Opcode Fuzzy Hash: fb89b079744f93baae99f08150b5b97f067f457c0161e9d529398c10d80e8980
Instruction Fuzzy Hash: 641153B9D0020AAFDB41CF98D884AEEBBF9FF18310F509166E915E3210D735AA54CF90

Function 008A2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 008A2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 008A2DD6
GetCurrentThreadId.KERNEL32 ref: 008A2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 008A2DE4

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 9600ae76997ebc5ea7d1ddbdae0c12cb49ebd538e940422daa9a2a2bd497147a
Instruction ID: 993516a9160feaef805e1330add95d2c3c904c15ded5b5445c3ddb6a12b728f0
Opcode Fuzzy Hash: 9600ae76997ebc5ea7d1ddbdae0c12cb49ebd538e940422daa9a2a2bd497147a
Instruction Fuzzy Hash: 1AE06DB11022297AEB201B66AC0DEEB3F6CFF53BA1F00021AF506D14819AA4C840C6B0

Function 008D8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00859639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00859693
Part of subcall function 00859639: SelectObject.GDI32(?,00000000), ref: 008596A2
Part of subcall function 00859639: BeginPath.GDI32(?), ref: 008596B9
Part of subcall function 00859639: SelectObject.GDI32(?,00000000), ref: 008596E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 008D8887
LineTo.GDI32(?,?,?), ref: 008D8894
EndPath.GDI32(?), ref: 008D88A4
StrokePath.GDI32(?), ref: 008D88B2

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: cd8266d33140dba41aafd537ea5e8d611cf9c4b39f21ab819e33fd63338236c3
Instruction ID: 6bd12f5797bee278ffbef420ebf68ed38b7a46caf26571983bd8206594355457
Opcode Fuzzy Hash: cd8266d33140dba41aafd537ea5e8d611cf9c4b39f21ab819e33fd63338236c3
Instruction Fuzzy Hash: 36F09A36006659FADB122F94AC09FCA3B59BF06310F408202FA11A10E1C7741910DBA5

Function 008598B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008598CC
SetTextColor.GDI32(?,?), ref: 008598D6
SetBkMode.GDI32(?,00000001), ref: 008598E9
GetStockObject.GDI32(00000005), ref: 008598F1

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: e7ed14a7cf1bc0582d6af9aa80433a82b166919fa4538a195b5f2752ddcf6885
Instruction ID: f4b4a1eb87a44747829435b0abac11c9e776716f333a75a6f86ebef56896f9b6
Opcode Fuzzy Hash: e7ed14a7cf1bc0582d6af9aa80433a82b166919fa4538a195b5f2752ddcf6885
Instruction Fuzzy Hash: B4E06D31245291AADF215B74BC09BE83F20FB12336F08831AF6FA980E1C3714640DB10

Function 008A162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 008A1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008A11D9), ref: 008A163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008A11D9), ref: 008A1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008A11D9), ref: 008A164F

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 7c023b301a2e3f40918299e8624bfe0aa5428060ebeef4335ddb99023987bb57
Instruction ID: a1e19022f1a72cbb30497c7f86304cddde23aa1827457d82ac18996f9f06a496
Opcode Fuzzy Hash: 7c023b301a2e3f40918299e8624bfe0aa5428060ebeef4335ddb99023987bb57
Instruction Fuzzy Hash: 18E08631603212DBEB201FE19E0DB4A3B7CFF557A1F144909F245C9080D6344440C750

Function 0089D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0089D858
GetDC.USER32(00000000), ref: 0089D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0089D882
ReleaseDC.USER32(?), ref: 0089D8A3

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 96dbbd2bc5f63e699bb56c61dab4fedccbb2d38f0c26ffceabcf2892fb4e10f9
Instruction ID: 023745f9be06d54e17eeacb8a75a6998d84f615a395a9e8de311797e5c7a23a4
Opcode Fuzzy Hash: 96dbbd2bc5f63e699bb56c61dab4fedccbb2d38f0c26ffceabcf2892fb4e10f9
Instruction Fuzzy Hash: D1E01AB080120ADFCF41AFA0E80866DBBB5FB18311F18851AE806E7250CB388905EF40

Function 0089D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0089D86C
GetDC.USER32(00000000), ref: 0089D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0089D882
ReleaseDC.USER32(?), ref: 0089D8A3

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1492aeaa419ed91fd49c17bea7d66700a654babad3db57348420ec41d198e5bf
Instruction ID: 1e85647c9e77c4f1bc8d5aa0798994813dde4a0dcc0697d00d70b72e4368be9f
Opcode Fuzzy Hash: 1492aeaa419ed91fd49c17bea7d66700a654babad3db57348420ec41d198e5bf
Instruction Fuzzy Hash: 6CE04F70C01205DFCF509FA0E80C66DBBB5FB18311F14810AF806E7250CB389905DF40

Function 008B4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00847620: _wcslen.LIBCMT ref: 00847625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 008B4ED4

Strings

LPT, xrefs: 008B4DFB
*, xrefs: 008B4E10

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 94c75f02818e86de89ccabc6fde8c1011a929c97c344600dcfdce85039f4651b
Instruction ID: fb3234ff74d66ce43af855854cf279db7f84ae5252e97551ced9c03309aaf850
Opcode Fuzzy Hash: 94c75f02818e86de89ccabc6fde8c1011a929c97c344600dcfdce85039f4651b
Instruction Fuzzy Hash: 85915E75A002189FCB14DF58C485EAABBF1FF44318F199099E80A9F362DB35ED85CB91

Function 0086E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0086E30D

Strings

pow, xrefs: 0086E2E5, 0086E302

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: beed70d600c53d76a49b5b30ef8449897c1bdb7e50f74f7575254eed7abe32c1
Instruction ID: 555885a403f00b154796e34ee8246723234633d340aa2626827f5a028f1af998
Opcode Fuzzy Hash: beed70d600c53d76a49b5b30ef8449897c1bdb7e50f74f7575254eed7abe32c1
Instruction Fuzzy Hash: 23516B65A0C20696DB257718CA413793BA8FB40B40F35C968F099C63EDDF30CC95DA87

Function 0085E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0085E1B1

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 6ceb7f25f0bdcdf03bca04300eb014b1812fb95ee53fd65d308330f86c9470fa
Instruction ID: 70b08960240f4793bb7e69809cec2d0f681b3c9d932685763e2ccd23b08a7b32
Opcode Fuzzy Hash: 6ceb7f25f0bdcdf03bca04300eb014b1812fb95ee53fd65d308330f86c9470fa
Instruction Fuzzy Hash: B751F33550424AEFDF19EFA8C881ABA7BA5FF15311F284055FC91DB290D6309E46CB62

Function 0085F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0085F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0085F2BB

Strings

@, xrefs: 0085F2AF

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2ae710e07706bec70adc003e96ab190322976401feb7f8b8a3016cf7284a178f
Instruction ID: 61479eb3d7240fd46c04816115a521b2551580ded93ae6adadfc3d40980962b1
Opcode Fuzzy Hash: 2ae710e07706bec70adc003e96ab190322976401feb7f8b8a3016cf7284a178f
Instruction Fuzzy Hash: BD515771419B489BD320AF54D886BABBBF8FB84300F81885DF2D981195EF718529CB67

Function 008C5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008C57E0
_wcslen.LIBCMT ref: 008C57EC

Strings

CALLARGARRAY, xrefs: 008C57E6, 008C57EB

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 51d691f78b347735e6edd751e1d2db54ffc51917b57da3dc40384c0299896fb9
Instruction ID: a562664ea9bf43beb7bb534081bd6f29cb634716a5860048820a9eb426b871ec
Opcode Fuzzy Hash: 51d691f78b347735e6edd751e1d2db54ffc51917b57da3dc40384c0299896fb9
Instruction Fuzzy Hash: AF416C31A002099FCF14DFA9C881DAEBBB5FF59764B14416DE505E7291E730ED81CBA1

Function 008BD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008BD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008BD13A

Strings

|, xrefs: 008BD10B

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 63bdc63fc6636671d18df0d1ceba4e1f9cb4d84d4e04e4b3540954bb1c703657
Instruction ID: e16305041cc9edaf1dc665dccc5b70b054718c3059abe6d398f47f2a9c9f5ec4
Opcode Fuzzy Hash: 63bdc63fc6636671d18df0d1ceba4e1f9cb4d84d4e04e4b3540954bb1c703657
Instruction Fuzzy Hash: 2D311A71D01219ABCF15EFA8CC85AEEBFB9FF05304F100019F815E6262E731AA16CB51

Function 008D356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 008D3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 008D365C

Strings

static, xrefs: 008D35BC

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 802f7375f8a612cd1fa8dd673bec7468423bbaffd8379cb0032fc2bd0d032351
Instruction ID: 7a890bce3fe61fc9f5d63d0d236701d7ad3b753785c6a38d4b0cfb942cc28b7f
Opcode Fuzzy Hash: 802f7375f8a612cd1fa8dd673bec7468423bbaffd8379cb0032fc2bd0d032351
Instruction Fuzzy Hash: 44319C71110604AEDB109F28EC81EFB73A9FF98724F00871AF9A5D7280DA31ED91DB61

Function 008D4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 008D461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008D4634

Strings

', xrefs: 008D458E

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 388032480b066dfb86b507cd76b423a79ea1569dd252b16eb7eec5ceb1a00cb7
Instruction ID: cf9b93bff297ddf6d47313c3e12618caa811440efb2235dc787363943d711d57
Opcode Fuzzy Hash: 388032480b066dfb86b507cd76b423a79ea1569dd252b16eb7eec5ceb1a00cb7
Instruction Fuzzy Hash: 02312774A0120AAFDB14CFA9D981BDA7BB5FF09300F10526AE905EB381D770E941CF90

Function 008D31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 008D327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008D3287

Strings

Combobox, xrefs: 008D3249

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 1ff0369e0668277dce657e9b8aab5239b5726bce295c39739b6d3eb4a4c7b2a4
Instruction ID: 32a881dfefc5b440ad137305fec3609485a489891d8154971948f3afc9843dda
Opcode Fuzzy Hash: 1ff0369e0668277dce657e9b8aab5239b5726bce295c39739b6d3eb4a4c7b2a4
Instruction Fuzzy Hash: 1711B271B40208BFEF219E94DC81EBB3B6AFB94365F10422AF918E7390D6719D518761

Function 008AEF10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008AEF1D

Strings

H, xrefs: 008AEF1B
HANDLE, xrefs: 008AEF16

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _wcslen
String ID: HANDLE$H
API String ID: 176396367-3448519317
Opcode ID: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
Instruction ID: e50db711bdc7eafe41f18b6aa42c1fc719f5745c2b912bb2b93bf091f562fda3
Opcode Fuzzy Hash: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
Instruction Fuzzy Hash: E911D3715101199EF7289F54D889BADB3A9FF82765F6048EAE441CF4C4EF709E81C614

Function 008D3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0084600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0084604C
Part of subcall function 0084600E: GetStockObject.GDI32(00000011), ref: 00846060
Part of subcall function 0084600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0084606A

GetWindowRect.USER32(00000000,?), ref: 008D377A
GetSysColor.USER32(00000012), ref: 008D3794

Strings

static, xrefs: 008D3757

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: b38be620e29398dccb65bce030b3d6fe36db0d4ac73f6726cad540e5ca6cc06e
Instruction ID: a395ffc97755ef6ad9c7d651e77a88e020465b7e6adeb7d98c8c7d9cf5592cd7
Opcode Fuzzy Hash: b38be620e29398dccb65bce030b3d6fe36db0d4ac73f6726cad540e5ca6cc06e
Instruction Fuzzy Hash: 00113AB261060AAFDF00DFA8CC46EFA7BB8FB08354F004626F955E2250E735E851DB61

Function 008BCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 008BCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 008BCDA6

Strings

<local>, xrefs: 008BCD66

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d08b827e612cb9a62ae7f4cf9d467cf6030ef7d05de9e2f7a2d56b545dda86c5
Instruction ID: 557510ee778827e38b9d67961816f87d4eb3020ff1801ecd106bcf65130184dd
Opcode Fuzzy Hash: d08b827e612cb9a62ae7f4cf9d467cf6030ef7d05de9e2f7a2d56b545dda86c5
Instruction Fuzzy Hash: D011C279245636BED7384B668C49EE7BEACFF527A8F44422AB149C3280D7709840D6F0

Function 008D3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008D34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008D34BA

Strings

edit, xrefs: 008D348F

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 888416d85954dcc2ff85529553ff9f2d5744bc926677ffd37055d4b9277aced3
Instruction ID: f776ba0ec43f4d6c4874987c7af01530911b37a9852918ff0c2c893c2b8faaab
Opcode Fuzzy Hash: 888416d85954dcc2ff85529553ff9f2d5744bc926677ffd37055d4b9277aced3
Instruction Fuzzy Hash: 86118F71100108AFEF114E64EC44AEB376AFB25378F504326F961D32D0C779DD51975A

Function 008A6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

CharUpperBuffW.USER32(?,?,?), ref: 008A6CB6
_wcslen.LIBCMT ref: 008A6CC2

Strings

STOP, xrefs: 008A6CBC, 008A6CC1

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 482a8049a456c1bf1f3451b9f15016dfe64a7c82fc6752f7c75d9be991321601
Instruction ID: 058df42fb5b303f4c76546b2a287ed39714ffa3cbd7c83081336d04157670c48
Opcode Fuzzy Hash: 482a8049a456c1bf1f3451b9f15016dfe64a7c82fc6752f7c75d9be991321601
Instruction Fuzzy Hash: 73010432A0052B8BEB209FBDDC809BF37A4FF627607050528E962D6199FA36D920C650

Function 008A1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Part of subcall function 008A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008A3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 008A1D4C

Strings

ListBox, xrefs: 008A1D16
ComboBox, xrefs: 008A1CEB

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7b488bd153e46fe509b7bb6a9bb118dc620809b73b6b43bb754a96c6db86a851
Instruction ID: 3d2efe3edf6018798d425d66b53ca9af82ef4684207097dc48f9753db677d9db
Opcode Fuzzy Hash: 7b488bd153e46fe509b7bb6a9bb118dc620809b73b6b43bb754a96c6db86a851
Instruction Fuzzy Hash: 1001D875641218ABDF14EBA8DC55CFF7768FB57350F040619F872D76C1EA305908C661

Function 008A1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Part of subcall function 008A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008A3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 008A1C46

Strings

ListBox, xrefs: 008A1C10
ComboBox, xrefs: 008A1BE5

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f99e95deaa62af474128d542ca79e689608f884157a4afc8ff80fce085608c85
Instruction ID: c663a63a1fc9c8bf53141cd18d234ff16a76085c7e700e62f7b0004571e514b4
Opcode Fuzzy Hash: f99e95deaa62af474128d542ca79e689608f884157a4afc8ff80fce085608c85
Instruction Fuzzy Hash: 2001A775AC11086BDF14EB94DD559FF77A8FB62350F140019F446E76C2EA209F08D6B2

Function 008A1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Part of subcall function 008A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008A3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 008A1CC8

Strings

ListBox, xrefs: 008A1C94
ComboBox, xrefs: 008A1C69

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: aab48ec8c98be2afe7162f8d70a60fe8e2d7ef48f4ae111670e20e557dfbfb81
Instruction ID: bdadd937c535bf7d16a91142d1fb94492681899b508ee9716464314a45238e58
Opcode Fuzzy Hash: aab48ec8c98be2afe7162f8d70a60fe8e2d7ef48f4ae111670e20e557dfbfb81
Instruction Fuzzy Hash: 06018B75A8111C67DF24E798DE55AFF77A8FB12350F140015F841F3681EA619F08C6B2

Function 008A1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00849CB3: _wcslen.LIBCMT ref: 00849CBD

Part of subcall function 008A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008A3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 008A1DD3

Strings

ListBox, xrefs: 008A1DA0
ComboBox, xrefs: 008A1D75

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0485d0845d3deeb5fdae49a8e92006aaaace4cffc5689a37287628e93bf6151c
Instruction ID: f294bb440c3063719da5520ba04249328fd1f2414ab2c45c52c0627de4021f69
Opcode Fuzzy Hash: 0485d0845d3deeb5fdae49a8e92006aaaace4cffc5689a37287628e93bf6151c
Instruction Fuzzy Hash: F3F0A471A412186AEB14F7A8DD96AFF7768FB12354F040919F862E36C2DA605A08C6A1

Function 008C747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008C7493
_wcslen.LIBCMT ref: 008C74B9

Strings

3, 3, 16, 1, xrefs: 008C7483

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 7f5a20c5f3115178b14133a6d4517d9116067fec42d234731f625f3628e632bc
Instruction ID: a364220bd03ffd17031e22a1b2e10db20cd67d7f6b345ef57f314b9c68f230c1
Opcode Fuzzy Hash: 7f5a20c5f3115178b14133a6d4517d9116067fec42d234731f625f3628e632bc
Instruction Fuzzy Hash: 03E02B0264462014A235127DACC1F7F5A9EFFC5760710282FF981C227AEAA4CD9193A6

Function 008A0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 008A0B23

Strings

AutoIt, xrefs: 008A0B17
Error allocating memory., xrefs: 008A0B1C

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: f159d4163ca91bc8ec6d3c3470223aabc900731f2ca2860e10be926021d4ee35
Instruction ID: fcb17b2638968ca4287348f33b512f16cf300de4316de79687f2495e278934d3
Opcode Fuzzy Hash: f159d4163ca91bc8ec6d3c3470223aabc900731f2ca2860e10be926021d4ee35
Instruction Fuzzy Hash: ADE048312853197AD2143798BC03F897B94FF05B65F100527FB98D55C38AD2645496AA

Function 00860D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0085F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00860D71,?,?,?,0084100A), ref: 0085F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0084100A), ref: 00860D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0084100A), ref: 00860D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00860D7F

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: da87801f2956f238a0591080a2571fcd9cdcd05b0df62d2b3e2e1febda1d64e1
Instruction ID: e40891db0d0777cb5ec613dfa7170230844f54a014234526a3e898deb31e660e
Opcode Fuzzy Hash: da87801f2956f238a0591080a2571fcd9cdcd05b0df62d2b3e2e1febda1d64e1
Instruction Fuzzy Hash: 6AE039702007428BD3209FA8E4042467BE4FB04745F018B2EE692CA756DBB4E448DF91

Function 008B3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 008B302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 008B3044

Strings

aut, xrefs: 008B3038

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 63dd385dbe2f4e83f3abbfabeeecffeadc6e58ae65d941c45fd3f67913de6217
Instruction ID: 4a13e9e15f2d13e004b074446cca2050f4997513822bae717fd51f46f8251861
Opcode Fuzzy Hash: 63dd385dbe2f4e83f3abbfabeeecffeadc6e58ae65d941c45fd3f67913de6217
Instruction Fuzzy Hash: 64D05B725013146BDA20A7949C0DFC73B6CD704750F400352F655D20D1DAB09544CAD0

Function 0089D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0089D220

Strings

%.3d, xrefs: 0089D22B
X64, xrefs: 0089D2A8

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: b5e6dffbc8586cab7ab8452c2f142463f7835da2f14ed18743712d86b24506d5
Instruction ID: fba2082f4a35c8fb58982994158a8bd1b6b73c780db204f4dae7cc85c1ed3eaf
Opcode Fuzzy Hash: b5e6dffbc8586cab7ab8452c2f142463f7835da2f14ed18743712d86b24506d5
Instruction Fuzzy Hash: 73D01261C0930DE9CF50A7D0DC458B9B3BCFB18305F948452FD06D1081D624E508A766

Function 008D2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008D232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 008D233F

Part of subcall function 008AE97B: Sleep.KERNEL32 ref: 008AE9F3

Strings

Shell_TrayWnd, xrefs: 008D2325

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: eaf8ba568fc1b110f96616a167417c0c2be2e51b64d6cc626b06a5e0677a03a9
Instruction ID: c99425c58d51c86913a1ae9e2326c0baf859a68ae083f78aa5b6b24af71c8bb3
Opcode Fuzzy Hash: eaf8ba568fc1b110f96616a167417c0c2be2e51b64d6cc626b06a5e0677a03a9
Instruction Fuzzy Hash: CCD0C936395311BAEAA4A770AC4FFC67B58BB50B14F004A1AB645AA1D0CAA0A801CA54

Function 008D2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008D236C
PostMessageW.USER32(00000000), ref: 008D2373

Part of subcall function 008AE97B: Sleep.KERNEL32 ref: 008AE9F3

Strings

Shell_TrayWnd, xrefs: 008D2365

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 72f2b55fdc164e8033e2220bf1622ad76173629d07150b17ec4e0c7929947dea
Instruction ID: e5849dd23812b10fc0c5f9557cf8d055910362303c1547c05b4e130db5fe21c1
Opcode Fuzzy Hash: 72f2b55fdc164e8033e2220bf1622ad76173629d07150b17ec4e0c7929947dea
Instruction Fuzzy Hash: 7AD0C9323823117AEAA4A770AC4FFC67B58BB55B14F004A1AB645EA1D0CAA0A801CA54

Function 0087BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0087BE93
GetLastError.KERNEL32 ref: 0087BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0087BEFC

Memory Dump Source

Source File: 00000000.00000002.1814535963.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1814495815.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.00000000008DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814668831.0000000000902000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814846880.000000000090C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814923862.0000000000914000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 404323d2cec9f18571fbdb9efe9e96b03d1ca49f6261d9a06bd2710995ecc252
Instruction ID: a5baa46c0c81805cb4fb5644fb05053751dc4d988338edd4a623b16a779ac60d
Opcode Fuzzy Hash: 404323d2cec9f18571fbdb9efe9e96b03d1ca49f6261d9a06bd2710995ecc252
Instruction Fuzzy Hash: 0A41D535601216ABCF218F65CC54BAA7BA6FF41720F158169F95DD72A9DF30CC00CB61

Analysis Process: firefox.exePID: 2720, Parent PID: 6408COMMON

Executed Functions

Function 0000027DEFFB582E Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000003.1926868996.0000027DEFFB1000.00000020.00000800.00020000.00000000.sdmp, Offset: 0000027DEFFB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_27deffb1000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76dce3eb681572825c151b14d4881b907f353eaced47b161671f31f21e22774
Instruction ID: a608bd7c6fd2b408f44c4874dbe349cea1443757af6f8f7f1be19be6ec1119b7
Opcode Fuzzy Hash: d76dce3eb681572825c151b14d4881b907f353eaced47b161671f31f21e22774
Instruction Fuzzy Hash: 86E18F3161490D9FDF98EB58C898BA8B3B1FF6C311F2901AAD50DE7291CB75AD81CB50

Function 0000027DEFFB7DB9 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000003.1926868996.0000027DEFFB1000.00000020.00000800.00020000.00000000.sdmp, Offset: 0000027DEFFB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_27deffb1000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17a62895f3e0f86f3679c543c068221e1c0bca989fd45aa542a88fd3c26e141
Instruction ID: 7ff5e5cb51b9257c286a560da3980d24070c4a142ee0479c23d011905f141779
Opcode Fuzzy Hash: e17a62895f3e0f86f3679c543c068221e1c0bca989fd45aa542a88fd3c26e141
Instruction Fuzzy Hash: 15310531618A099FEB8DDB68D49EBA973E1FF1D310F55006DE10DEB2D2C6A0AC80C751

Analysis Process: firefox.exePID: 7604, Parent PID: 2720COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000001F9DF0737B2 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000001F9DF073817

Strings

z, xrefs: 000001F9DF07384B
>, xrefs: 000001F9DF07461C
A, xrefs: 000001F9DF07380F
#, xrefs: 000001F9DF071B85
4, xrefs: 000001F9DF077899
>, xrefs: 000001F9DF0778BF
#, xrefs: 000001F9DF073842
z, xrefs: 000001F9DF074DF6
#, xrefs: 000001F9DF0748F1
>, xrefs: 000001F9DF073879

Memory Dump Source

Source File: 00000010.00000002.3618653166.000001F9DF071000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F9DF071000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1f9df071000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction ID: 9e6196ce3f567570366273e03e4ee3993d25b4a7380d1fa17c13c06744e36226
Opcode Fuzzy Hash: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction Fuzzy Hash: B6A3C331618A498BDB2DEF58DC867F977E5FB98304F14427ED84AC7251DE34EA028AC1

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 52.222.236.120 52.222.236.120
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1977161382.00000235DAC59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1947488281.00000235E79A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927488251.00000235E79A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1945743610.00000235E7A04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961492877.00000235E7A12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1929029792.00000235E5BDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1930139889.00000235E11B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1934991810.00000235E04AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1929029792.00000235E5BDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1934991810.00000235E04AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1978884270.00000235DE6E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947488281.00000235E79A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927488251.00000235E79A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1945743610.00000235E7A04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961492877.00000235E7A12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1974671078.00000235DED1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1974671078.00000235DED1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1833840342.00000235DF867000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929029792.00000235E5BDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1930139889.00000235E11B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1929029792.00000235E5BDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1934991810.00000235E04AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3614918161.000001F9DEF0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3615877953.00000221A6A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3614918161.000001F9DEF0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3615877953.00000221A6A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3614918161.000001F9DEF0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3615877953.00000221A6A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1954346046.00000235E7722000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947910846.00000235E7721000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1978884270.00000235DE6E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947910846.00000235E774E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1980057831.00000235DDD18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1945743610.00000235E7A04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1961492877.00000235E7A12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1978083448.00000235D9FDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1947910846.00000235E774E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1978884270.00000235DE6E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1965235448.00000235DF696000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1970963182.00000235DF696000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.222.236.120:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50058 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50059 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50061 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50060 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_7a006e65-81c7-44e6-bca9-904f9547e6f3.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_7a006e65-81c7-44e6-bca9-904f9547e6f3.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C94QBWI5PPYC4QEB1D1D.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z07K3J0Q26EHY2CW379H.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre