Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1541195
MD5:	7204a55ed486cee5061c0518d9f594ac
SHA1:	58eaf918c76803f4405230aaad34582fa1a65a4d
SHA256:	f02f2b6cc008e93e49656ee981244e2bc4c6d352dfe1921974ed88fd70c8fe17
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7292 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7204A55ED486CEE5061C0518D9F594AC)

taskkill.exe (PID: 7308 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7412 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7468 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7532 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7596 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7660 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7700 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7716 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7960 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2200 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {baac71d5-40f3-4bd6-b9a2-f58f729b2199} 7716 "\\.\pipe\gecko-crash-server-pipe.7716" 27bffd70310 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4960 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4052 -parentBuildID 20230927232528 -prefsHandle 1540 -prefMapHandle 4036 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0d14240-9cd3-49bb-8984-b5bc4d0eecb7} 7716 "\\.\pipe\gecko-crash-server-pipe.7716" 27b9223cb10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4488 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5340 -prefMapHandle 5352 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {316c6cfb-6661-4d2d-9a1c-1d3edad563fa} 7716 "\\.\pipe\gecko-crash-server-pipe.7716" 27b9e0a7110 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7292	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_008FEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_008FEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008FED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_008FED6A

Source: C:\Users\user\Desktop\file.exe

0_2_008FEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008EAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_008EAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00919576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00919576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1548127e-e
Source: file.exe, 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_04b60d5e-6
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fbd78fa5-2
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e385de53-5

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000015DA86E9FB7 NtQuerySystemInformation,		16_2_0000015DA86E9FB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000015DA87045F2 NtQuerySystemInformation,		16_2_0000015DA87045F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008ED5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_008ED5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008E1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_008E1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008EE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_008EE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F2046	0_2_008F2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00888060	0_2_00888060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E8298	0_2_008E8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008BE4FF	0_2_008BE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B676B	0_2_008B676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00914873	0_2_00914873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008ACAA0	0_2_008ACAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088CAF0	0_2_0088CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089CC39	0_2_0089CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B6DD9	0_2_008B6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008891C0	0_2_008891C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089B119	0_2_0089B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A1394	0_2_008A1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A1706	0_2_008A1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A781B	0_2_008A781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A19B0	0_2_008A19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00887920	0_2_00887920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089997D	0_2_0089997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A7A4A	0_2_008A7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A7CA7	0_2_008A7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A1C77	0_2_008A1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B9EEE	0_2_008B9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090BE44	0_2_0090BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A1F32	0_2_008A1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000015DA86E9FB7	16_2_0000015DA86E9FB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000015DA87045F2	16_2_0000015DA87045F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000015DA8704632	16_2_0000015DA8704632
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000015DA8704D1C	16_2_0000015DA8704D1C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0089F9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 008A0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/36@68/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008F37B5 GetLastError,FormatMessageW,

0_2_008F37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E10BF AdjustTokenPrivileges,CloseHandle,		0_2_008E10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008E16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008F51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008F51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008ED4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_008ED4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008F648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_008F648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008842A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1901492595.0000027B9E94E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1975706133.0000027B9E655000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1948866869.0000027B9E655000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1975706133.0000027B9E655000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1948866869.0000027B9E655000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1975706133.0000027B9E655000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1948866869.0000027B9E655000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1975706133.0000027B9E655000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1948866869.0000027B9E655000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1965032665.0000027B9E98E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901492595.0000027B9E98E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.1975706133.0000027B9E655000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1948866869.0000027B9E655000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1975706133.0000027B9E655000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1948866869.0000027B9E655000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1975706133.0000027B9E655000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1948866869.0000027B9E655000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1975706133.0000027B9E655000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1948866869.0000027B9E655000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1975706133.0000027B9E655000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1948866869.0000027B9E655000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2200 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {baac71d5-40f3-4bd6-b9a2-f58f729b2199} 7716 "\\.\pipe\gecko-crash-server-pipe.7716" 27bffd70310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4052 -parentBuildID 20230927232528 -prefsHandle 1540 -prefMapHandle 4036 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0d14240-9cd3-49bb-8984-b5bc4d0eecb7} 7716 "\\.\pipe\gecko-crash-server-pipe.7716" 27b9223cb10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5340 -prefMapHandle 5352 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {316c6cfb-6661-4d2d-9a1c-1d3edad563fa} 7716 "\\.\pipe\gecko-crash-server-pipe.7716" 27b9e0a7110 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2200 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {baac71d5-40f3-4bd6-b9a2-f58f729b2199} 7716 "\\.\pipe\gecko-crash-server-pipe.7716" 27bffd70310 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4052 -parentBuildID 20230927232528 -prefsHandle 1540 -prefMapHandle 4036 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0d14240-9cd3-49bb-8984-b5bc4d0eecb7} 7716 "\\.\pipe\gecko-crash-server-pipe.7716" 27b9223cb10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5340 -prefMapHandle 5352 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {316c6cfb-6661-4d2d-9a1c-1d3edad563fa} 7716 "\\.\pipe\gecko-crash-server-pipe.7716" 27b9e0a7110 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.1967590455.0000027B9370F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000D.00000003.1996944207.0000027B9146D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1987178609.0000027B9370F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.1967590455.0000027B9370F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1987178609.0000027B9370F000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008842DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008A0A76 push ecx; ret

0_2_008A0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0089F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00911C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00911C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96113

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000015DA86E9FB7 rdtsc

16_2_0000015DA86E9FB7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_008EDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F68EE FindFirstFileW,FindClose,	0_2_008F68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_008F698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008ED076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008ED3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008F9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008F979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_008F9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_008F5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008842DE

Source: firefox.exe, 0000000F.00000002.2992397630.000002CF281CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3jx
Source: firefox.exe, 0000000F.00000002.2997279129.000002CF28940000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
Source: firefox.exe, 0000000F.00000002.2992397630.000002CF281CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp#
Source: firefox.exe, 0000000F.00000002.2992397630.000002CF281CA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2995850345.0000015DA8590000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2996073379.000002D67F160000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2992138097.000002D67ED0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.2996517759.000002CF28521000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.2995850345.0000015DA85A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: firefox.exe, 00000010.00000002.2991041437.0000015DA7D5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWplY
Source: firefox.exe, 00000010.00000002.2995850345.0000015DA85A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
Source: firefox.exe, 0000000F.00000002.2997279129.000002CF28940000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2995850345.0000015DA85A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000015DA86E9FB7 rdtsc

16_2_0000015DA86E9FB7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008FEAA2 BlockInput,

0_2_008FEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_008B2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008842DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008A4CE8 mov eax, dword ptr fs:[00000030h]

0_2_008A4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008E0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_008E0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008B2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008A083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A09D5 SetUnhandledExceptionFilter,	0_2_008A09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_008A0C21

Source: C:\Users\user\Desktop\file.exe

0_2_008E1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008C2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_008C2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008EB226 SendInput,keybd_event,

0_2_008EB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009022DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_009022DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_008E0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008E1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_008E1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1977415241.0000027B9370F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008A0698 cpuid

0_2_008A0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008F8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_008F8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008DD27A GetUserNameW,

0_2_008DD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008BBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_008BBB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008842DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7292, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7292, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00901204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00901204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00901806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00901806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://truecolors.firefox.com/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.252.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.1	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.1.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.186.110	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	172.217.23.110	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.193.140	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.1994903965.0000027B9803F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2993056886.0000015DA81C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2992752954.000002D67F0C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1903546514.0000027B9E0BB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.2993914148.000002CF284B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2993056886.0000015DA81F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2996275518.000002D67F303000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1921924946.0000027B981B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000012.00000002.2992752954.000002D67F08F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1835666242.0000027B99817000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1835048683.0000027B998FD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1961044102.0000027B913D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1788557536.0000027B8F800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792805832.0000027B8FA5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1791835418.0000027B8FA3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1793483762.0000027B8FA77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789662535.0000027B8FA1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1845554856.0000027B90584000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837676998.0000027B90584000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.1994293253.0000027B985E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1979912365.0000027B985E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microso	firefox.exe, 0000000D.00000003.1969606782.0000027B93703000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1970828909.0000027B93703000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1968683942.0000027B93703000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1994903965.0000027B980DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1905185709.0000027B980DC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1788557536.0000027B8F800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845554856.0000027B90576000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837676998.0000027B90576000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911239593.0000027B90FFE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792805832.0000027B8FA5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1791835418.0000027B8FA3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1793483762.0000027B8FA77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789662535.0000027B8FA1F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1954381661.0000027B927BB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1788557536.0000027B8F800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792805832.0000027B8FA5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1791835418.0000027B8FA3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1793483762.0000027B8FA77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789662535.0000027B8FA1F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1956543226.0000027B92419000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.2993914148.000002CF284B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2993056886.0000015DA81F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2996275518.000002D67F303000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1979912365.0000027B98586000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.instagram.com/	firefox.exe, 0000000D.00000003.1856301327.0000027B9124D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1975837950.0000027B9E63C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000D.00000003.1958958141.0000027B91486000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1981325074.0000027B914B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958958141.0000027B914B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2003833819.0000027B914B7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.2993914148.000002CF284B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2993056886.0000015DA81F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2996275518.000002D67F303000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1952968875.0000027B982BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2993056886.0000015DA810A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2992752954.000002D67F00C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1896184262.0000027B90342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1835666242.0000027B99817000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1979912365.0000027B9851E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1994293253.0000027B98517000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.1994903965.0000027B9803F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2993056886.0000015DA81C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2992752954.000002D67F0C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1991864315.0000027B998D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1893320286.0000027B92185000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1911239593.0000027B90F9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1979912365.0000027B98586000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1979612071.0000027B99BB4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1981325074.0000027B914C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2003833819.0000027B914C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000063505.0000027B914C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958958141.0000027B914C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 00000012.00000002.2992752954.000002D67F013000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1835666242.0000027B99817000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.1903435847.0000027B9E0FA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 0000000F.00000002.2993914148.000002CF28472000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2993056886.0000015DA8186000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000D.00000003.1893320286.0000027B92185000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864610755.0000027B90B83000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1934120641.0000027B903E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1920914632.0000027B9124A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864996348.0000027B90BFD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1921924946.0000027B981F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954381661.0000027B927A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1967038153.0000027B90DF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1953825728.0000027B97AE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1987265691.0000027B8FA4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911239593.0000027B90F97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864996348.0000027B90BD7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1858656546.0000027B9124D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906076558.0000027B97DCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1859456375.0000027B90BE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911239593.0000027B90FA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908546635.0000027B903AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1952187947.0000027B98373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1995796675.0000027B93195000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911239593.0000027B90F9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1940575063.0000027B97DDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1971346805.0000027B98191000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906631256.0000027B91242000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1954381661.0000027B927BB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1955264844.0000027B9272D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954381661.0000027B927BB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1835531383.0000027B99845000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1952187947.0000027B98367000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1921924946.0000027B981B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000D.00000003.1994903965.0000027B980DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1905185709.0000027B980DC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1835131625.0000027B99865000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1993643563.0000027B99863000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1994903965.0000027B980DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1905185709.0000027B980DC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000D.00000003.1961044102.0000027B913D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1795973935.0000027B8F633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1967470298.0000027B8F634000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000D.00000003.1893320286.0000027B92185000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864610755.0000027B90B8F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1838476502.0000027B9C19C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1951389456.0000027B9C19C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1990662035.0000027B9C19C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1893320286.0000027B92185000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896184262.0000027B90342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1795973935.0000027B8F633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1967470298.0000027B8F634000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1979912365.0000027B9851E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1994293253.0000027B98517000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.2993914148.000002CF284B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2993056886.0000015DA81F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2996275518.000002D67F303000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1846346293.0000027B901AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1835666242.0000027B99817000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1950428712.0000027B9D25D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1789662535.0000027B8FA1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://truecolors.firefox.com/	firefox.exe, 0000000D.00000003.1903435847.0000027B9E0FA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1953535082.0000027B97EF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1791835418.0000027B8FA3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1793483762.0000027B8FA77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789662535.0000027B8FA1F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.2993297756.000002CF28330000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996158958.0000015DA8690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2992399402.000002D67EE10000.00000002.10000000.00040000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.186.110	youtube.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541195
Start date and time:	2024-10-24 15:08:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/36@68/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 40 Number of non-executed functions: 309
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 34.208.54.237, 52.13.186.250, 44.231.229.39, 142.250.186.174, 2.22.61.59, 2.22.61.56, 2.18.121.79, 2.18.121.72, 142.250.186.74, 142.250.186.106
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
09:09:14	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
star-mini.c10r.facebook.com	https://app.writesonic.com/share/writing-assistant/d140c48b-3642-43bf-a085-e258c1fb4f03	Get hash	malicious	Unknown	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	https://app.writesonic.com/share/writing-assistant/d140c48b-3642-43bf-a085-e258c1fb4f03	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://egift.activationshub.com/gift-card/view/8lPFUrjq1LGzg7JHwS8hJJRdL/	Get hash	malicious	Unknown	Browse	151.101.130.137
	https://1drv.ms/o/c/3e563d3fb2a98d1c/Emlo5KUbYYNEvKtIF-7SS0EBYSeT3hOOGuv_MbeT-n2y4g?e=HPjqUn	Get hash	malicious	HtmlDropper	Browse	151.101.66.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	attachment(1).eml	Get hash	malicious	Unknown	Browse	199.232.188.157
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	PO 635614 635613_CQDM.html	Get hash	malicious	HTMLPhisher	Browse	151.101.129.229
	https://landsmith.ae/continue.html	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	kQyd2z80gD.exe	Get hash	malicious	DCRat	Browse	34.117.59.81
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	https://app.writesonic.com/share/writing-assistant/d140c48b-3642-43bf-a085-e258c1fb4f03	Get hash	malicious	Unknown	Browse	34.155.67.112
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	gNubpp8EFH.elf	Get hash	malicious	Mirai	Browse	51.129.30.184
	fOTHzKNyyk.elf	Get hash	malicious	Mirai	Browse	57.45.185.202
	5tSAlF2WkT.elf	Get hash	malicious	Mirai	Browse	51.209.232.2
	ai3eCONS9Q.elf	Get hash	malicious	Mirai	Browse	51.228.195.88
	jade.x86.elf	Get hash	malicious	Mirai	Browse	34.179.66.151

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cb7cba75-108e-4320-8151-e5d50e5987e9.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.178741981324005
Encrypted:	false
SSDEEP:	192:HjMXlRycbhbVbTbfbRbObtbyEl7nMrkJA6WnSrDtTUd/SkDrWw:HYqcNhnzFSJsr3BnSrDhUd/J
MD5:	D55E50A0C31931B574D91022EDAB7B35
SHA1:	9F73CDCF6DB0BBBDBDB2AEB2AA962E31DAD43DB4
SHA-256:	857758237D5D05E810AE5E464AC062D1EA033F97FB483B78E8836CCFB6C314F7
SHA-512:	E2FC10434C2D92B841AE88C4733925C2FD2CFF3F76F1147D7855053B8CC39CCD48E61A05B861C3B8E743B867C6D54EC8A0BE0301826833CE4F007B4642FFA72E
Malicious:	false
Preview:	{"type":"uninstall","id":"cb7cba75-108e-4320-8151-e5d50e5987e9","creationDate":"2024-10-24T15:04:24.426Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cb7cba75-108e-4320-8151-e5d50e5987e9.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.178741981324005
Encrypted:	false
SSDEEP:	192:HjMXlRycbhbVbTbfbRbObtbyEl7nMrkJA6WnSrDtTUd/SkDrWw:HYqcNhnzFSJsr3BnSrDhUd/J
MD5:	D55E50A0C31931B574D91022EDAB7B35
SHA1:	9F73CDCF6DB0BBBDBDB2AEB2AA962E31DAD43DB4
SHA-256:	857758237D5D05E810AE5E464AC062D1EA033F97FB483B78E8836CCFB6C314F7
SHA-512:	E2FC10434C2D92B841AE88C4733925C2FD2CFF3F76F1147D7855053B8CC39CCD48E61A05B861C3B8E743B867C6D54EC8A0BE0301826833CE4F007B4642FFA72E
Malicious:	false
Preview:	{"type":"uninstall","id":"cb7cba75-108e-4320-8151-e5d50e5987e9","creationDate":"2024-10-24T15:04:24.426Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.924274845642667
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLUqGk8P:8S+OBIUjOdwiOdYVjjwLnGk8P
MD5:	4BF04296A6EDEAA55CFA6ED4E8C3AECE
SHA1:	E3DB5046BCA145F6A0823029C020F7FC489F864A
SHA-256:	4ABE85A6F1AD890E7594C41A3CAD4FC2E517A8C729B31F1D4823259295665E53
SHA-512:	EF90341F57F2D4B77CA2416714488E2FBFE3D04EDEC78F13A56D6ED9826C81FA555AFD8241B097376E46A33FD323A025B39AD9045BCD422F59FE3B9CE35E45F8
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.924274845642667
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLUqGk8P:8S+OBIUjOdwiOdYVjjwLnGk8P
MD5:	4BF04296A6EDEAA55CFA6ED4E8C3AECE
SHA1:	E3DB5046BCA145F6A0823029C020F7FC489F864A
SHA-256:	4ABE85A6F1AD890E7594C41A3CAD4FC2E517A8C729B31F1D4823259295665E53
SHA-512:	EF90341F57F2D4B77CA2416714488E2FBFE3D04EDEC78F13A56D6ED9826C81FA555AFD8241B097376E46A33FD323A025B39AD9045BCD422F59FE3B9CE35E45F8
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07331055841493536
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkimg:DLhesh7Owd4+ji
MD5:	317676718AD4205E7F4F6AEFA164A4C4
SHA1:	89C5B7B28F7379DEB4100A54BEB6AF5A0CB2B840
SHA-256:	77678587018C6D1510BCBB1AC2E15B8D99A09EF80F6A3314C4FD8D0B5A0B5AF8
SHA-512:	A0D29E7B19C7BCD2C685F425027208C7E6F8B8E991D8F51A25B2A10CBD9C3A734971A4DA889A634A985B0A139AC83FE316D8E138D6F888D310470A098928D8A7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.03527348911229007
Encrypted:	false
SSDEEP:	3:GtlstFWwqjOCGtlstFWwqjOC789//alEl:GtWtUbOCGtWtUbOC789XuM
MD5:	60775D8D367979BDF3D9B7CEAEE2760C
SHA1:	2F4E20B0906E27B056028A09276F5099253C0615
SHA-256:	C179471D6F7D8599F12B78C653DF4955E670859CA77533E0FD6AB4D2C3F4C826
SHA-512:	A4BD7149260D1148C5A8BAEE8A5E4582097B76491A4F4CB0FF35C1111EADDE809A88953F9A12D31514A971B1A95963BAA90A670A37BC2B4437571D7ED4FB4C5F
Malicious:	false
Preview:	..-...........................C...0A....9........-...........................C...0A....9..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03955853810435866
Encrypted:	false
SSDEEP:	3:Ol1wPNf9Ljomr9h7l8rEXsxdwhml8XW3R2:K2P3LUmrLl8dMhm93w
MD5:	F1F4D5AA25ACDF575446FEBCF407C7F7
SHA1:	26ABE5BCA0586FBB2BB7EA498EFF4F8761BEBB23
SHA-256:	0C5F4755CDF107F79E975DA9BB9D62F28F3A21ED9FD758014FD2003E5CCFD4C0
SHA-512:	09DBC29F766EE1A06628097889FF615BDE0ACFADF3D9ABAB0D42AD6A8F9C09E7D8A45777C1EC05125193FD380D6EC977DA794908DD6D1F45A526D78C988A8C2C
Malicious:	false
Preview:	7....-............0A.........lJt..........0A.........C.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.494048148094088
Encrypted:	false
SSDEEP:	192:8naRtLYbBp6qhj4qyaaXE6K0pNnef5RfGNBw8dGSl:ReMqArD8cwd0
MD5:	8E50A8F176EA54C7B74AFA1BB0821809
SHA1:	F26A05C58764DF929D9C664E87600050835D594F
SHA-256:	3F889B5A265D32E55114C51732A3BEADE5D84BF1E08D284D1BF407381DB5F23E
SHA-512:	7E21A1CC80EAEDEC1AF469AA9ECFC8DC0EF02BD3DBC997BD1B3FE9AFE91C9EB065EFDFFC8BDC8E2051127C2634047F9211612D03CDC4B1D5DFA5727D995B4062
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729782234);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729782234);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729782234);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172978

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.494048148094088
Encrypted:	false
SSDEEP:	192:8naRtLYbBp6qhj4qyaaXE6K0pNnef5RfGNBw8dGSl:ReMqArD8cwd0
MD5:	8E50A8F176EA54C7B74AFA1BB0821809
SHA1:	F26A05C58764DF929D9C664E87600050835D594F
SHA-256:	3F889B5A265D32E55114C51732A3BEADE5D84BF1E08D284D1BF407381DB5F23E
SHA-512:	7E21A1CC80EAEDEC1AF469AA9ECFC8DC0EF02BD3DBC997BD1B3FE9AFE91C9EB065EFDFFC8BDC8E2051127C2634047F9211612D03CDC4B1D5DFA5727D995B4062
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729782234);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729782234);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729782234);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172978

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	6.3594258784034166
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSvnHLXnIgXXD/pnxQwRls6Zsp9rGH3j6xiMLctdL/5QH2oXpTurD/IE:cpOxaH/tnRTZY9aGxHLc5kpTgw6w4
MD5:	3898BC9F6D6392CD3F0191EB30DE46D9
SHA1:	0BE3B4BF77D22ACF06933E359D7F61ED4357D8D5
SHA-256:	03B8CB383E979AB6CDCA98D2A88DCCB632F42AB0484AD038E1EA987AABA3CA83
SHA-512:	B2D55BAFC00AC9706C070B7275B751FB01DC12B03702C04DDA1998D4E7A3C024D69BEC6E6EFE71C4C96FDB0AAC432B4CA834F92B39B0E29746A54308EE941EEE
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{c1e2191b-bf23-49a5-8844-5794c0a8a03b}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729782241102,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..mUpdate...startTim..P04275...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...12040,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	6.3594258784034166
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSvnHLXnIgXXD/pnxQwRls6Zsp9rGH3j6xiMLctdL/5QH2oXpTurD/IE:cpOxaH/tnRTZY9aGxHLc5kpTgw6w4
MD5:	3898BC9F6D6392CD3F0191EB30DE46D9
SHA1:	0BE3B4BF77D22ACF06933E359D7F61ED4357D8D5
SHA-256:	03B8CB383E979AB6CDCA98D2A88DCCB632F42AB0484AD038E1EA987AABA3CA83
SHA-512:	B2D55BAFC00AC9706C070B7275B751FB01DC12B03702C04DDA1998D4E7A3C024D69BEC6E6EFE71C4C96FDB0AAC432B4CA834F92B39B0E29746A54308EE941EEE
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{c1e2191b-bf23-49a5-8844-5794c0a8a03b}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729782241102,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..mUpdate...startTim..P04275...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...12040,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	6.3594258784034166
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSvnHLXnIgXXD/pnxQwRls6Zsp9rGH3j6xiMLctdL/5QH2oXpTurD/IE:cpOxaH/tnRTZY9aGxHLc5kpTgw6w4
MD5:	3898BC9F6D6392CD3F0191EB30DE46D9
SHA1:	0BE3B4BF77D22ACF06933E359D7F61ED4357D8D5
SHA-256:	03B8CB383E979AB6CDCA98D2A88DCCB632F42AB0484AD038E1EA987AABA3CA83
SHA-512:	B2D55BAFC00AC9706C070B7275B751FB01DC12B03702C04DDA1998D4E7A3C024D69BEC6E6EFE71C4C96FDB0AAC432B4CA834F92B39B0E29746A54308EE941EEE
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{c1e2191b-bf23-49a5-8844-5794c0a8a03b}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729782241102,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..mUpdate...startTim..P04275...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...12040,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034136635065589
Encrypted:	false
SSDEEP:	48:YrSAYN6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycNyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	7E1829A65DF0E2BCC56415942EE0D776
SHA1:	D6F845665465313B30DC6ABCBFD378D9E8D8AA04
SHA-256:	F4C41851CBDC796389450EABE79A8EA7114C38BBC2CB1D05219B36F47630E0A2
SHA-512:	FB138EF3FC95528790673B13545EEC8F645BCC1978473E343CC410C2E2FFAF734386D4CA6B5683923D3F890AE479CB536D16321AB6163BF735B12D695121C108
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-24T15:03:42.743Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034136635065589
Encrypted:	false
SSDEEP:	48:YrSAYN6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycNyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	7E1829A65DF0E2BCC56415942EE0D776
SHA1:	D6F845665465313B30DC6ABCBFD378D9E8D8AA04
SHA-256:	F4C41851CBDC796389450EABE79A8EA7114C38BBC2CB1D05219B36F47630E0A2
SHA-512:	FB138EF3FC95528790673B13545EEC8F645BCC1978473E343CC410C2E2FFAF734386D4CA6B5683923D3F890AE479CB536D16321AB6163BF735B12D695121C108
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-24T15:03:42.743Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584682295247489
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	7204a55ed486cee5061c0518d9f594ac
SHA1:	58eaf918c76803f4405230aaad34582fa1a65a4d
SHA256:	f02f2b6cc008e93e49656ee981244e2bc4c6d352dfe1921974ed88fd70c8fe17
SHA512:	e3cfd356db65c93a30842cadb5e04c7fddef5c2202a851c40a38b85ec8d49f2051cfc1790dcf4931cadab607dab92375ce41febbd06e9d7e72161e8afaee7c06
SSDEEP:	12288:NqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Tt:NqDEvCTbMWu7rQYlBQcBiT6rprG8abt
TLSH:	8C159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671A44CB [Thu Oct 24 12:59:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F022CB0D6D3h
jmp 00007F022CB0CFDFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F022CB0D1BDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F022CB0D18Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F022CB0FD7Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F022CB0FDC8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F022CB0FDB1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	e5299250ca3cc1c00c0a2cb537524a9e	False	0.31566455696202533	data	5.3741264921045495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 15:09:10.153286934 CEST	60885	443	192.168.2.4	35.190.72.216
Oct 24, 2024 15:09:10.153326988 CEST	443	60885	35.190.72.216	192.168.2.4
Oct 24, 2024 15:09:10.154181957 CEST	60885	443	192.168.2.4	35.190.72.216
Oct 24, 2024 15:09:10.159128904 CEST	60885	443	192.168.2.4	35.190.72.216
Oct 24, 2024 15:09:10.159143925 CEST	443	60885	35.190.72.216	192.168.2.4
Oct 24, 2024 15:09:10.777657986 CEST	443	60885	35.190.72.216	192.168.2.4
Oct 24, 2024 15:09:10.777971983 CEST	60885	443	192.168.2.4	35.190.72.216
Oct 24, 2024 15:09:10.802752972 CEST	60885	443	192.168.2.4	35.190.72.216
Oct 24, 2024 15:09:10.802782059 CEST	443	60885	35.190.72.216	192.168.2.4
Oct 24, 2024 15:09:10.803075075 CEST	60885	443	192.168.2.4	35.190.72.216
Oct 24, 2024 15:09:10.803425074 CEST	443	60885	35.190.72.216	192.168.2.4
Oct 24, 2024 15:09:10.804727077 CEST	60885	443	192.168.2.4	35.190.72.216
Oct 24, 2024 15:09:12.476141930 CEST	60887	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:12.476190090 CEST	443	60887	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:12.478610039 CEST	60887	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:12.478610039 CEST	60887	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:12.478656054 CEST	443	60887	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:12.628551960 CEST	60888	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:12.638349056 CEST	60889	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:12.638402939 CEST	443	60889	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:12.638823986 CEST	60889	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:12.640294075 CEST	60889	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:12.640317917 CEST	443	60889	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:13.107995987 CEST	80	60888	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:13.108094931 CEST	60888	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:13.108356953 CEST	60888	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:13.113687038 CEST	80	60888	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:13.137411118 CEST	52335	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:13.137454033 CEST	443	52335	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:13.142265081 CEST	52335	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:13.142437935 CEST	52335	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:13.142451048 CEST	443	52335	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:13.159020901 CEST	52336	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:13.159046888 CEST	443	52336	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:13.159207106 CEST	52336	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:13.160623074 CEST	52336	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:13.160635948 CEST	443	52336	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:13.333684921 CEST	443	60887	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:13.334413052 CEST	443	60887	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:13.334948063 CEST	60887	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:13.334956884 CEST	443	60887	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:13.385358095 CEST	60887	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:13.612865925 CEST	60887	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:13.612880945 CEST	443	60887	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:13.612994909 CEST	60887	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:13.613131046 CEST	443	60887	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:13.613452911 CEST	60887	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:13.705410957 CEST	80	60888	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:13.753340006 CEST	60888	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:13.755279064 CEST	443	52335	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:13.763099909 CEST	52335	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:13.774704933 CEST	443	52336	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:13.774806976 CEST	52336	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:13.950700998 CEST	443	60889	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:13.951451063 CEST	443	60889	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:13.954471111 CEST	60889	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:13.954498053 CEST	443	60889	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:14.006314039 CEST	60889	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:14.485549927 CEST	52335	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:14.485580921 CEST	443	52335	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:14.485939026 CEST	443	52335	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:14.486376047 CEST	52338	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:14.486413002 CEST	443	52338	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:14.488703966 CEST	52336	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:14.488730907 CEST	443	52336	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:14.488830090 CEST	52336	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:14.488943100 CEST	443	52336	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:14.489208937 CEST	52339	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:14.489276886 CEST	443	52339	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:14.492238998 CEST	60889	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:14.492269039 CEST	443	60889	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:14.492343903 CEST	60889	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:14.492445946 CEST	443	60889	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:14.492871046 CEST	52340	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:14.492911100 CEST	443	52340	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:14.496874094 CEST	52335	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:14.496949911 CEST	52335	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:14.497100115 CEST	443	52335	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:14.497284889 CEST	52335	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:14.497319937 CEST	52336	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:14.497339010 CEST	60889	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:14.497354984 CEST	52338	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:14.497361898 CEST	52339	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:14.498833895 CEST	52338	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:14.498855114 CEST	443	52338	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:14.500235081 CEST	52339	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:14.500282049 CEST	443	52339	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:14.500849962 CEST	60888	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:14.506634951 CEST	80	60888	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:14.512825012 CEST	52335	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:14.512938023 CEST	60888	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:14.513062000 CEST	52340	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:14.514396906 CEST	52340	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:14.514411926 CEST	443	52340	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:14.693828106 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:14.693933964 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:14.699203968 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:14.699280977 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:14.701915979 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:14.701999903 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:14.702099085 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:14.702536106 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:14.707732916 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:14.707746983 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:14.735866070 CEST	52343	443	192.168.2.4	34.160.144.191
Oct 24, 2024 15:09:14.735898018 CEST	443	52343	34.160.144.191	192.168.2.4
Oct 24, 2024 15:09:14.736573935 CEST	52343	443	192.168.2.4	34.160.144.191
Oct 24, 2024 15:09:14.736573935 CEST	52343	443	192.168.2.4	34.160.144.191
Oct 24, 2024 15:09:14.736602068 CEST	443	52343	34.160.144.191	192.168.2.4
Oct 24, 2024 15:09:15.108146906 CEST	443	52339	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:15.108166933 CEST	443	52339	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:15.108630896 CEST	52339	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:15.113893986 CEST	52339	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:15.113908052 CEST	443	52339	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:15.114005089 CEST	52339	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:15.114078045 CEST	443	52339	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:15.114198923 CEST	52339	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:15.120472908 CEST	443	52338	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:15.120491028 CEST	443	52338	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:15.124083996 CEST	52338	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:15.128170013 CEST	52338	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:15.128211975 CEST	443	52338	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:15.128257036 CEST	52338	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:15.128407001 CEST	443	52338	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:15.128654003 CEST	52338	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:15.229722023 CEST	52345	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:15.229784966 CEST	443	52345	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:15.230580091 CEST	52345	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:15.232141972 CEST	52345	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:15.232161045 CEST	443	52345	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:15.308559895 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:15.309947968 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:15.348920107 CEST	443	52343	34.160.144.191	192.168.2.4
Oct 24, 2024 15:09:15.349040031 CEST	52343	443	192.168.2.4	34.160.144.191
Oct 24, 2024 15:09:15.353868961 CEST	52343	443	192.168.2.4	34.160.144.191
Oct 24, 2024 15:09:15.353884935 CEST	443	52343	34.160.144.191	192.168.2.4
Oct 24, 2024 15:09:15.354186058 CEST	443	52343	34.160.144.191	192.168.2.4
Oct 24, 2024 15:09:15.357230902 CEST	443	52340	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:15.357245922 CEST	443	52340	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:15.357558012 CEST	52340	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:15.357953072 CEST	443	52340	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:15.358293056 CEST	52340	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:15.363208055 CEST	52343	443	192.168.2.4	34.160.144.191
Oct 24, 2024 15:09:15.363432884 CEST	443	52343	34.160.144.191	192.168.2.4
Oct 24, 2024 15:09:15.363512993 CEST	52343	443	192.168.2.4	34.160.144.191
Oct 24, 2024 15:09:15.363523006 CEST	443	52343	34.160.144.191	192.168.2.4
Oct 24, 2024 15:09:15.363636971 CEST	52343	443	192.168.2.4	34.160.144.191
Oct 24, 2024 15:09:15.366183996 CEST	52340	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:15.366192102 CEST	443	52340	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:15.366302013 CEST	52340	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:15.366400003 CEST	443	52340	142.250.186.110	192.168.2.4
Oct 24, 2024 15:09:15.366545916 CEST	52340	443	192.168.2.4	142.250.186.110
Oct 24, 2024 15:09:15.368575096 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:15.368726015 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:15.468096018 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:15.473675013 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:15.596549988 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:15.647351027 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:15.735368967 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:15.740839958 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:15.852159977 CEST	443	52345	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:15.856029987 CEST	52345	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:15.860100031 CEST	52345	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:15.860110998 CEST	443	52345	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:15.860280991 CEST	443	52345	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:15.860635996 CEST	52345	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:15.860635996 CEST	52347	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:15.860660076 CEST	443	52345	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:15.860677004 CEST	443	52347	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:15.862607956 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:15.869189024 CEST	52347	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:15.870887041 CEST	52347	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:15.870904922 CEST	443	52347	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:15.916990995 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:16.067338943 CEST	443	52345	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:16.068603992 CEST	52345	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:16.087970972 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:16.093525887 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:16.215101957 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:16.263161898 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:16.487869024 CEST	443	52347	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:16.487890005 CEST	443	52347	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:16.495152950 CEST	52347	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:16.509046078 CEST	52347	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:16.509046078 CEST	52347	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:16.509061098 CEST	443	52347	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:16.509371996 CEST	443	52347	34.117.188.166	192.168.2.4
Oct 24, 2024 15:09:16.509578943 CEST	52347	443	192.168.2.4	34.117.188.166
Oct 24, 2024 15:09:19.406451941 CEST	52348	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:19.406505108 CEST	443	52348	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:19.406871080 CEST	52348	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:19.407036066 CEST	52348	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:19.407053947 CEST	443	52348	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:19.500684023 CEST	52349	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:19.500714064 CEST	443	52349	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:19.507623911 CEST	52350	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:19.507637024 CEST	443	52350	34.107.243.93	192.168.2.4
Oct 24, 2024 15:09:19.509778976 CEST	52349	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:19.509913921 CEST	52350	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:19.511301041 CEST	52349	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:19.511327982 CEST	443	52349	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:19.512754917 CEST	52350	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:19.512772083 CEST	443	52350	34.107.243.93	192.168.2.4
Oct 24, 2024 15:09:19.523658037 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:19.530365944 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:19.547466993 CEST	52351	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:19.547518015 CEST	443	52351	34.149.100.209	192.168.2.4
Oct 24, 2024 15:09:19.555059910 CEST	52351	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:19.556660891 CEST	52351	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:19.556688070 CEST	443	52351	34.149.100.209	192.168.2.4
Oct 24, 2024 15:09:19.822163105 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:19.881464005 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:19.881680965 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:19.881680965 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:20.035208941 CEST	443	52348	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:20.039343119 CEST	443	52348	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:20.039975882 CEST	52348	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:20.137259960 CEST	443	52350	34.107.243.93	192.168.2.4
Oct 24, 2024 15:09:20.137361050 CEST	52350	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:20.159867048 CEST	443	52349	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:20.159883022 CEST	443	52349	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:20.159969091 CEST	52349	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:20.197479963 CEST	443	52351	34.149.100.209	192.168.2.4
Oct 24, 2024 15:09:20.197496891 CEST	443	52351	34.149.100.209	192.168.2.4
Oct 24, 2024 15:09:20.197560072 CEST	52351	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:20.359055042 CEST	52348	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:20.359083891 CEST	443	52348	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:20.359474897 CEST	443	52348	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:20.374612093 CEST	52349	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:20.374651909 CEST	443	52349	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:20.374715090 CEST	52349	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:20.374829054 CEST	52350	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:20.374839067 CEST	443	52350	34.107.243.93	192.168.2.4
Oct 24, 2024 15:09:20.374937057 CEST	443	52349	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:20.375025988 CEST	52350	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:20.375055075 CEST	52348	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:20.375055075 CEST	52348	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:20.375111103 CEST	443	52350	34.107.243.93	192.168.2.4
Oct 24, 2024 15:09:20.375271082 CEST	443	52348	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:20.376900911 CEST	52351	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:20.376929998 CEST	443	52351	34.149.100.209	192.168.2.4
Oct 24, 2024 15:09:20.376966953 CEST	52351	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:20.377111912 CEST	443	52351	34.149.100.209	192.168.2.4
Oct 24, 2024 15:09:20.379457951 CEST	52349	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:20.379483938 CEST	52351	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:20.379487038 CEST	52350	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:20.379623890 CEST	52348	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:24.707501888 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:24.713095903 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:24.838274956 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:24.885750055 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:26.129920959 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:26.135541916 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:26.165694952 CEST	52358	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:26.165734053 CEST	443	52358	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:26.166220903 CEST	52358	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:26.167740107 CEST	52358	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:26.167754889 CEST	443	52358	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:26.258101940 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:26.305699110 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:26.323153973 CEST	52359	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:26.323206902 CEST	443	52359	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:26.325483084 CEST	52359	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:26.325669050 CEST	52359	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:26.325687885 CEST	443	52359	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:26.642752886 CEST	52360	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:26.642805099 CEST	443	52360	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:26.642999887 CEST	52360	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:26.643030882 CEST	52360	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:26.643038034 CEST	443	52360	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:26.659394026 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:26.664856911 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:26.779916048 CEST	443	52358	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:26.780014992 CEST	52358	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:26.787878990 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:26.807054043 CEST	52358	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:26.807074070 CEST	443	52358	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:26.807255030 CEST	443	52358	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:26.807322979 CEST	52358	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:26.807332039 CEST	443	52358	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:26.829437017 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:26.935395956 CEST	443	52359	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:26.935496092 CEST	52359	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:27.004259109 CEST	52359	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:27.004342079 CEST	443	52359	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:27.005326033 CEST	443	52359	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:27.007009029 CEST	52359	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:27.007110119 CEST	52359	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:27.007462978 CEST	443	52359	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:27.007945061 CEST	52359	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:27.007988930 CEST	52359	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:27.011369944 CEST	443	52358	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:27.011441946 CEST	52358	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:27.267476082 CEST	443	52360	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:27.267618895 CEST	52360	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:27.475819111 CEST	52360	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:27.475847960 CEST	443	52360	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:27.476308107 CEST	443	52360	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:27.478591919 CEST	52360	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:27.478838921 CEST	443	52360	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:27.478869915 CEST	52360	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:27.478884935 CEST	443	52360	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:27.687333107 CEST	443	52360	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:27.691348076 CEST	52360	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:27.999778032 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:28.005228043 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:28.127238035 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:28.131191969 CEST	52361	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:28.131231070 CEST	443	52361	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:28.132477045 CEST	52361	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:28.134280920 CEST	52361	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:28.134294033 CEST	443	52361	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:28.179991007 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:28.282274961 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:28.287687063 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:28.408986092 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:28.449584007 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:28.751450062 CEST	443	52361	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:28.751533985 CEST	52361	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:29.558748007 CEST	52361	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:29.558793068 CEST	443	52361	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:29.559251070 CEST	443	52361	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:29.559372902 CEST	52361	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:29.562103987 CEST	52361	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:09:29.562134027 CEST	443	52361	34.120.208.123	192.168.2.4
Oct 24, 2024 15:09:29.934782982 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:29.940256119 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:30.061924934 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:30.117918015 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:30.313569069 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:30.319067001 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:30.440723896 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:30.487023115 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:31.179614067 CEST	52362	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:31.179646015 CEST	443	52362	34.107.243.93	192.168.2.4
Oct 24, 2024 15:09:31.180146933 CEST	52362	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:31.181634903 CEST	52362	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:31.181643963 CEST	443	52362	34.107.243.93	192.168.2.4
Oct 24, 2024 15:09:31.802059889 CEST	443	52362	34.107.243.93	192.168.2.4
Oct 24, 2024 15:09:31.802145958 CEST	52362	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:31.807245970 CEST	52362	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:31.807265043 CEST	443	52362	34.107.243.93	192.168.2.4
Oct 24, 2024 15:09:31.807333946 CEST	52362	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:31.807468891 CEST	443	52362	34.107.243.93	192.168.2.4
Oct 24, 2024 15:09:31.807645082 CEST	52362	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:31.811088085 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:31.816452026 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:31.938244104 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:31.941668987 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:31.947071075 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:31.991512060 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:32.068658113 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:32.123070955 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:38.221374035 CEST	52363	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:38.221474886 CEST	443	52363	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:38.223683119 CEST	52363	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:38.223853111 CEST	52363	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:38.223887920 CEST	443	52363	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:38.246515989 CEST	52364	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:38.246550083 CEST	443	52364	34.149.100.209	192.168.2.4
Oct 24, 2024 15:09:38.246747971 CEST	52364	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:38.246834993 CEST	52364	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:38.246843100 CEST	443	52364	34.149.100.209	192.168.2.4
Oct 24, 2024 15:09:38.251925945 CEST	52365	443	192.168.2.4	151.101.1.91
Oct 24, 2024 15:09:38.251954079 CEST	443	52365	151.101.1.91	192.168.2.4
Oct 24, 2024 15:09:38.252072096 CEST	52365	443	192.168.2.4	151.101.1.91
Oct 24, 2024 15:09:38.252201080 CEST	52365	443	192.168.2.4	151.101.1.91
Oct 24, 2024 15:09:38.252214909 CEST	443	52365	151.101.1.91	192.168.2.4
Oct 24, 2024 15:09:38.267303944 CEST	52366	443	192.168.2.4	35.190.72.216
Oct 24, 2024 15:09:38.267337084 CEST	443	52366	35.190.72.216	192.168.2.4
Oct 24, 2024 15:09:38.272753954 CEST	52366	443	192.168.2.4	35.190.72.216
Oct 24, 2024 15:09:38.274342060 CEST	52366	443	192.168.2.4	35.190.72.216
Oct 24, 2024 15:09:38.274353981 CEST	443	52366	35.190.72.216	192.168.2.4
Oct 24, 2024 15:09:38.284271955 CEST	52367	443	192.168.2.4	35.201.103.21
Oct 24, 2024 15:09:38.284307957 CEST	443	52367	35.201.103.21	192.168.2.4
Oct 24, 2024 15:09:38.285449982 CEST	52367	443	192.168.2.4	35.201.103.21
Oct 24, 2024 15:09:38.287023067 CEST	52367	443	192.168.2.4	35.201.103.21
Oct 24, 2024 15:09:38.287034988 CEST	443	52367	35.201.103.21	192.168.2.4
Oct 24, 2024 15:09:38.847996950 CEST	443	52363	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:38.848136902 CEST	52363	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:38.851856947 CEST	52363	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:38.851886034 CEST	443	52363	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:38.852197886 CEST	443	52363	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:38.852909088 CEST	443	52364	34.149.100.209	192.168.2.4
Oct 24, 2024 15:09:38.852992058 CEST	52364	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:38.856182098 CEST	52364	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:38.856193066 CEST	443	52364	34.149.100.209	192.168.2.4
Oct 24, 2024 15:09:38.857013941 CEST	443	52364	34.149.100.209	192.168.2.4
Oct 24, 2024 15:09:38.858154058 CEST	52363	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:38.858294964 CEST	52363	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:38.858372927 CEST	443	52363	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:38.858871937 CEST	52363	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:38.860208988 CEST	52364	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:38.860208988 CEST	52364	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:38.860359907 CEST	443	52364	34.149.100.209	192.168.2.4
Oct 24, 2024 15:09:38.863866091 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:38.864161015 CEST	52364	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:38.869286060 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:38.872616053 CEST	443	52365	151.101.1.91	192.168.2.4
Oct 24, 2024 15:09:38.872721910 CEST	52365	443	192.168.2.4	151.101.1.91
Oct 24, 2024 15:09:38.876105070 CEST	52365	443	192.168.2.4	151.101.1.91
Oct 24, 2024 15:09:38.876116037 CEST	443	52365	151.101.1.91	192.168.2.4
Oct 24, 2024 15:09:38.876466990 CEST	443	52365	151.101.1.91	192.168.2.4
Oct 24, 2024 15:09:38.878782034 CEST	52365	443	192.168.2.4	151.101.1.91
Oct 24, 2024 15:09:38.878880024 CEST	52365	443	192.168.2.4	151.101.1.91
Oct 24, 2024 15:09:38.891397953 CEST	52368	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:38.891443968 CEST	443	52368	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:38.892349005 CEST	52368	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:38.892476082 CEST	52368	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:38.892491102 CEST	443	52368	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:38.894025087 CEST	52369	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:38.894047022 CEST	443	52369	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:38.895152092 CEST	52369	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:38.895272970 CEST	52369	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:38.895282984 CEST	443	52369	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:38.895900011 CEST	52370	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:38.895930052 CEST	443	52370	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:38.897140980 CEST	52370	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:38.897241116 CEST	52370	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:38.897255898 CEST	443	52370	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:38.906419039 CEST	443	52366	35.190.72.216	192.168.2.4
Oct 24, 2024 15:09:38.911062956 CEST	52366	443	192.168.2.4	35.190.72.216
Oct 24, 2024 15:09:38.915946007 CEST	52366	443	192.168.2.4	35.190.72.216
Oct 24, 2024 15:09:38.915956020 CEST	443	52366	35.190.72.216	192.168.2.4
Oct 24, 2024 15:09:38.916048050 CEST	52366	443	192.168.2.4	35.190.72.216
Oct 24, 2024 15:09:38.916150093 CEST	443	52366	35.190.72.216	192.168.2.4
Oct 24, 2024 15:09:38.916501999 CEST	52366	443	192.168.2.4	35.190.72.216
Oct 24, 2024 15:09:38.924916029 CEST	443	52367	35.201.103.21	192.168.2.4
Oct 24, 2024 15:09:38.925118923 CEST	52367	443	192.168.2.4	35.201.103.21
Oct 24, 2024 15:09:38.930037975 CEST	52367	443	192.168.2.4	35.201.103.21
Oct 24, 2024 15:09:38.930058002 CEST	443	52367	35.201.103.21	192.168.2.4
Oct 24, 2024 15:09:38.930133104 CEST	52367	443	192.168.2.4	35.201.103.21
Oct 24, 2024 15:09:38.930356979 CEST	443	52367	35.201.103.21	192.168.2.4
Oct 24, 2024 15:09:38.931061029 CEST	52367	443	192.168.2.4	35.201.103.21
Oct 24, 2024 15:09:38.942869902 CEST	52371	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:38.942900896 CEST	443	52371	34.149.100.209	192.168.2.4
Oct 24, 2024 15:09:38.943001032 CEST	52371	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:38.943085909 CEST	52371	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:38.943097115 CEST	443	52371	34.149.100.209	192.168.2.4
Oct 24, 2024 15:09:38.990814924 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:38.993985891 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:38.999319077 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:39.044434071 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:39.120716095 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:39.166778088 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:39.514233112 CEST	443	52368	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:39.514322042 CEST	52368	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:39.517488956 CEST	52368	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:39.517503023 CEST	443	52368	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:39.517502069 CEST	443	52370	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:39.517767906 CEST	443	52368	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:39.518023014 CEST	52370	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:39.520302057 CEST	52370	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:39.520307064 CEST	443	52370	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:39.520978928 CEST	443	52370	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:39.522814035 CEST	52368	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:39.522923946 CEST	52368	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:39.523024082 CEST	443	52368	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:39.523936033 CEST	443	52369	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:39.523983002 CEST	52370	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:39.524060011 CEST	52370	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:39.524230003 CEST	52368	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:39.524266958 CEST	52369	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:39.524490118 CEST	443	52370	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:39.527523041 CEST	52369	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:39.527534008 CEST	443	52369	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:39.528049946 CEST	443	52369	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:39.528717995 CEST	52370	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:39.530617952 CEST	52369	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:39.530617952 CEST	52369	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:39.530822039 CEST	443	52369	35.244.181.201	192.168.2.4
Oct 24, 2024 15:09:39.531443119 CEST	52369	443	192.168.2.4	35.244.181.201
Oct 24, 2024 15:09:39.533725977 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:39.539079905 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:39.553669930 CEST	443	52371	34.149.100.209	192.168.2.4
Oct 24, 2024 15:09:39.553761005 CEST	52371	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:39.557111979 CEST	52371	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:39.557132959 CEST	443	52371	34.149.100.209	192.168.2.4
Oct 24, 2024 15:09:39.558010101 CEST	443	52371	34.149.100.209	192.168.2.4
Oct 24, 2024 15:09:39.560283899 CEST	52371	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:39.560378075 CEST	52371	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:39.560750961 CEST	443	52371	34.149.100.209	192.168.2.4
Oct 24, 2024 15:09:39.561372995 CEST	52371	443	192.168.2.4	34.149.100.209
Oct 24, 2024 15:09:39.661006927 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:39.664635897 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:39.670058012 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:39.715084076 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:39.792711973 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:39.846632004 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:42.950210094 CEST	52373	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:42.950256109 CEST	443	52373	34.107.243.93	192.168.2.4
Oct 24, 2024 15:09:42.951064110 CEST	52373	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:42.952610970 CEST	52373	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:42.952625990 CEST	443	52373	34.107.243.93	192.168.2.4
Oct 24, 2024 15:09:43.573070049 CEST	443	52373	34.107.243.93	192.168.2.4
Oct 24, 2024 15:09:43.573218107 CEST	52373	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:43.578172922 CEST	52373	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:43.578181982 CEST	443	52373	34.107.243.93	192.168.2.4
Oct 24, 2024 15:09:43.578306913 CEST	52373	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:43.578443050 CEST	443	52373	34.107.243.93	192.168.2.4
Oct 24, 2024 15:09:43.578564882 CEST	52373	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:09:43.582696915 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:43.588062048 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:43.710369110 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:43.714370012 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:43.719702005 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:43.758070946 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:43.841043949 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:43.896060944 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:53.711184025 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:53.716522932 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:09:53.849107027 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:09:53.854538918 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:02.136648893 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:02.141978979 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:02.788386106 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:02.788816929 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:02.788885117 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:02.790143013 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:02.790520906 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:02.792438984 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:03.040323973 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:03.162349939 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:03.207622051 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:03.637737989 CEST	60496	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:10:03.637798071 CEST	443	60496	34.107.243.93	192.168.2.4
Oct 24, 2024 15:10:03.638025999 CEST	60496	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:10:03.639416933 CEST	60496	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:10:03.639452934 CEST	443	60496	34.107.243.93	192.168.2.4
Oct 24, 2024 15:10:04.239535093 CEST	443	60496	34.107.243.93	192.168.2.4
Oct 24, 2024 15:10:04.239919901 CEST	60496	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:10:04.244414091 CEST	60496	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:10:04.244457960 CEST	443	60496	34.107.243.93	192.168.2.4
Oct 24, 2024 15:10:04.244525909 CEST	60496	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:10:04.244666100 CEST	443	60496	34.107.243.93	192.168.2.4
Oct 24, 2024 15:10:04.247343063 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:04.248287916 CEST	60496	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:10:04.252846003 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:04.374994040 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:04.378837109 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:04.384097099 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:04.426753998 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:04.505691051 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:04.558307886 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:08.352438927 CEST	60517	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.352493048 CEST	443	60517	34.120.208.123	192.168.2.4
Oct 24, 2024 15:10:08.352782011 CEST	60518	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.352819920 CEST	443	60518	34.120.208.123	192.168.2.4
Oct 24, 2024 15:10:08.353507042 CEST	60517	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.353513002 CEST	60518	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.353718042 CEST	60517	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.353729963 CEST	443	60517	34.120.208.123	192.168.2.4
Oct 24, 2024 15:10:08.354121923 CEST	60518	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.354135990 CEST	443	60518	34.120.208.123	192.168.2.4
Oct 24, 2024 15:10:08.374577999 CEST	60519	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.374603987 CEST	443	60519	34.120.208.123	192.168.2.4
Oct 24, 2024 15:10:08.376821041 CEST	60519	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.377017975 CEST	60519	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.377029896 CEST	443	60519	34.120.208.123	192.168.2.4
Oct 24, 2024 15:10:08.960431099 CEST	443	60518	34.120.208.123	192.168.2.4
Oct 24, 2024 15:10:08.960562944 CEST	60518	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.963643074 CEST	60518	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.963654041 CEST	443	60518	34.120.208.123	192.168.2.4
Oct 24, 2024 15:10:08.963902950 CEST	443	60518	34.120.208.123	192.168.2.4
Oct 24, 2024 15:10:08.965814114 CEST	60518	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.965948105 CEST	60518	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.965959072 CEST	443	60517	34.120.208.123	192.168.2.4
Oct 24, 2024 15:10:08.965986967 CEST	443	60518	34.120.208.123	192.168.2.4
Oct 24, 2024 15:10:08.966145039 CEST	60518	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.966167927 CEST	60517	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.968909025 CEST	60517	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.968920946 CEST	443	60517	34.120.208.123	192.168.2.4
Oct 24, 2024 15:10:08.969163895 CEST	443	60517	34.120.208.123	192.168.2.4
Oct 24, 2024 15:10:08.973711014 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:08.974206924 CEST	60517	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.974296093 CEST	60517	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.974354029 CEST	443	60517	34.120.208.123	192.168.2.4
Oct 24, 2024 15:10:08.975306988 CEST	60517	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.979259968 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:08.992808104 CEST	443	60519	34.120.208.123	192.168.2.4
Oct 24, 2024 15:10:08.992923021 CEST	60519	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.995862961 CEST	60519	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.995867968 CEST	443	60519	34.120.208.123	192.168.2.4
Oct 24, 2024 15:10:08.997880936 CEST	60519	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:08.997884035 CEST	443	60519	34.120.208.123	192.168.2.4
Oct 24, 2024 15:10:08.998003006 CEST	60519	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:09.002402067 CEST	443	60519	34.120.208.123	192.168.2.4
Oct 24, 2024 15:10:09.002477884 CEST	60519	443	192.168.2.4	34.120.208.123
Oct 24, 2024 15:10:09.102569103 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:09.127932072 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:09.133337021 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:09.156197071 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:09.256161928 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:09.300390959 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:19.114707947 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:19.263956070 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:19.337579012 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:19.337601900 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:29.344358921 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:29.344357967 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:29.349912882 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:29.349967003 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:39.357492924 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:39.357496977 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:39.363590002 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:39.363640070 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:44.362932920 CEST	60710	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:10:44.363030910 CEST	443	60710	34.107.243.93	192.168.2.4
Oct 24, 2024 15:10:44.363138914 CEST	60710	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:10:44.364703894 CEST	60710	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:10:44.364756107 CEST	443	60710	34.107.243.93	192.168.2.4
Oct 24, 2024 15:10:44.975661039 CEST	443	60710	34.107.243.93	192.168.2.4
Oct 24, 2024 15:10:44.975734949 CEST	60710	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:10:44.982105017 CEST	60710	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:10:44.982115984 CEST	443	60710	34.107.243.93	192.168.2.4
Oct 24, 2024 15:10:44.982213974 CEST	60710	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:10:44.982247114 CEST	443	60710	34.107.243.93	192.168.2.4
Oct 24, 2024 15:10:44.983227968 CEST	60710	443	192.168.2.4	34.107.243.93
Oct 24, 2024 15:10:44.985311031 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:44.991385937 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:45.113738060 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:45.117944956 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:45.125761986 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:45.158852100 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:45.245661020 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:45.290452957 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:55.119661093 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:55.126023054 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:10:55.251183987 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:10:55.256767988 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:11:05.132282019 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:11:05.137732983 CEST	80	52342	34.107.221.82	192.168.2.4
Oct 24, 2024 15:11:05.263964891 CEST	52341	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:11:05.269692898 CEST	80	52341	34.107.221.82	192.168.2.4
Oct 24, 2024 15:11:15.145026922 CEST	52342	80	192.168.2.4	34.107.221.82
Oct 24, 2024 15:11:15.150434971 CEST	80	52342	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 15:09:10.157183886 CEST	52059	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:10.165971041 CEST	53	52059	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:10.174313068 CEST	51088	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:10.182631016 CEST	53	51088	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:12.447552919 CEST	61609	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:12.452893972 CEST	55699	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:12.463584900 CEST	53	55699	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:12.470886946 CEST	60086	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:12.476820946 CEST	60731	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:12.480640888 CEST	53	60086	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:12.481738091 CEST	51716	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:12.485606909 CEST	53	60731	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:12.489712000 CEST	53	51716	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:12.495187044 CEST	64932	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:12.502832890 CEST	53	64932	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:12.884763002 CEST	61599	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:13.125940084 CEST	61337	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:13.133558035 CEST	53	61337	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:13.138432980 CEST	64819	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:13.146188974 CEST	53	64819	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:13.150772095 CEST	53360	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:13.157727957 CEST	57809	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:13.158036947 CEST	53	53360	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:13.159115076 CEST	63602	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:13.166049004 CEST	53	57809	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:13.167021036 CEST	53	63602	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:13.168275118 CEST	55544	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:13.175901890 CEST	53	55544	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:14.478043079 CEST	64941	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:14.485760927 CEST	53	64941	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:14.495426893 CEST	55764	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:14.498797894 CEST	61720	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:14.502881050 CEST	53	55764	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:14.506509066 CEST	53	61720	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:14.513839960 CEST	56307	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:14.521363020 CEST	53	56307	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:14.723208904 CEST	63270	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:14.730287075 CEST	53	63270	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:14.736407995 CEST	64710	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:14.743834019 CEST	53	64710	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:14.746566057 CEST	53880	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:14.754295111 CEST	53	53880	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:15.736077070 CEST	49857	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:15.805768013 CEST	53	64111	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:16.095660925 CEST	52268	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:16.103682041 CEST	53	52268	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:16.121439934 CEST	65227	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:16.128897905 CEST	53	65227	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:16.141654015 CEST	51102	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:16.149023056 CEST	53	51102	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:19.397521973 CEST	62690	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:19.397770882 CEST	49843	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:19.406205893 CEST	53	62690	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:19.407411098 CEST	53	49843	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:19.409250021 CEST	57989	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:19.418073893 CEST	53	57989	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:19.418804884 CEST	53709	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:19.429089069 CEST	53	53709	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:19.500880957 CEST	59213	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:19.512564898 CEST	53	59213	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:19.519229889 CEST	60743	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:19.528337002 CEST	53	60743	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:19.535002947 CEST	61125	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:19.545175076 CEST	53	61125	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:19.549674988 CEST	52561	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:19.557969093 CEST	53	52561	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:19.562788963 CEST	51653	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:19.570693970 CEST	53	51653	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:26.145869017 CEST	61055	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:26.153955936 CEST	53	61055	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:28.281375885 CEST	56039	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:28.282274008 CEST	49209	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:28.282758951 CEST	64194	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:28.289148092 CEST	53	56039	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:28.289973974 CEST	53	49209	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:28.290097952 CEST	53	64194	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:28.308391094 CEST	59275	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:28.308391094 CEST	53711	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:28.308610916 CEST	56403	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:28.316149950 CEST	53	56403	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:28.316348076 CEST	53	59275	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:28.316792965 CEST	53	53711	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:28.317255020 CEST	53714	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:28.317255020 CEST	62526	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:28.324477911 CEST	53	53714	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:28.325488091 CEST	53	62526	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:28.391731977 CEST	58661	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:28.391731977 CEST	51442	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:28.392081976 CEST	57110	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:28.399159908 CEST	53	51442	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:28.399187088 CEST	53	57110	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:28.399200916 CEST	53	58661	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:28.400471926 CEST	49855	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:28.400521040 CEST	57230	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:28.407772064 CEST	53	57230	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:28.408389091 CEST	61527	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:28.408921957 CEST	53	49855	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:28.409672022 CEST	62286	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:28.415802956 CEST	53	61527	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:28.417593956 CEST	53	62286	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:31.180058002 CEST	60150	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:31.187640905 CEST	53	60150	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:38.222457886 CEST	60502	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:38.233019114 CEST	53	60502	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:38.241784096 CEST	49195	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:38.250850916 CEST	53	49195	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:38.252585888 CEST	51762	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:38.260550022 CEST	53	51762	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:38.261147022 CEST	57400	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:38.270184994 CEST	53	57400	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:38.272533894 CEST	52828	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:38.279875040 CEST	53	52828	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:38.284432888 CEST	60080	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:38.293262959 CEST	53	60080	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:38.296376944 CEST	53868	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:38.304750919 CEST	53	53868	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:42.949465036 CEST	58701	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:42.956985950 CEST	53	58701	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:42.965637922 CEST	61324	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:09:42.973803043 CEST	53	61324	1.1.1.1	192.168.2.4
Oct 24, 2024 15:09:48.622987032 CEST	53	51551	162.159.36.2	192.168.2.4
Oct 24, 2024 15:09:49.312371016 CEST	53	58894	1.1.1.1	192.168.2.4
Oct 24, 2024 15:10:02.136504889 CEST	54750	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:10:03.622176886 CEST	63349	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:10:03.636123896 CEST	53	63349	1.1.1.1	192.168.2.4
Oct 24, 2024 15:10:03.636934042 CEST	61306	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:10:03.644681931 CEST	53	61306	1.1.1.1	192.168.2.4
Oct 24, 2024 15:10:08.377454042 CEST	58505	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:10:08.385484934 CEST	53	58505	1.1.1.1	192.168.2.4
Oct 24, 2024 15:10:44.361490011 CEST	54299	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:10:44.372858047 CEST	53	54299	1.1.1.1	192.168.2.4
Oct 24, 2024 15:10:44.385782957 CEST	58516	53	192.168.2.4	1.1.1.1
Oct 24, 2024 15:10:44.397443056 CEST	53	58516	1.1.1.1	192.168.2.4
Oct 24, 2024 15:10:44.985599041 CEST	53466	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 24, 2024 15:09:10.157183886 CEST	192.168.2.4	1.1.1.1	0x226b	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:10.174313068 CEST	192.168.2.4	1.1.1.1	0x7619	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 15:09:12.447552919 CEST	192.168.2.4	1.1.1.1	0xa172	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:12.452893972 CEST	192.168.2.4	1.1.1.1	0xf32c	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:12.470886946 CEST	192.168.2.4	1.1.1.1	0x9497	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:12.476820946 CEST	192.168.2.4	1.1.1.1	0xb549	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:12.481738091 CEST	192.168.2.4	1.1.1.1	0x3621	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 15:09:12.495187044 CEST	192.168.2.4	1.1.1.1	0xce55	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 24, 2024 15:09:12.884763002 CEST	192.168.2.4	1.1.1.1	0xb3a6	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:13.125940084 CEST	192.168.2.4	1.1.1.1	0x530a	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:13.138432980 CEST	192.168.2.4	1.1.1.1	0x9d95	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:13.150772095 CEST	192.168.2.4	1.1.1.1	0xd45	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:13.157727957 CEST	192.168.2.4	1.1.1.1	0x8fb8	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 15:09:13.159115076 CEST	192.168.2.4	1.1.1.1	0xc86b	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:13.168275118 CEST	192.168.2.4	1.1.1.1	0xef18	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 15:09:14.478043079 CEST	192.168.2.4	1.1.1.1	0xe373	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:14.495426893 CEST	192.168.2.4	1.1.1.1	0x6de3	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:14.498797894 CEST	192.168.2.4	1.1.1.1	0xbe3	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 15:09:14.513839960 CEST	192.168.2.4	1.1.1.1	0x5e9	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:14.723208904 CEST	192.168.2.4	1.1.1.1	0xffe5	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:14.736407995 CEST	192.168.2.4	1.1.1.1	0x3cb2	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:14.746566057 CEST	192.168.2.4	1.1.1.1	0xa586	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 15:09:15.736077070 CEST	192.168.2.4	1.1.1.1	0x267d	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:16.095660925 CEST	192.168.2.4	1.1.1.1	0x736f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:16.121439934 CEST	192.168.2.4	1.1.1.1	0xfeeb	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:16.141654015 CEST	192.168.2.4	1.1.1.1	0x9c6c	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 15:09:19.397521973 CEST	192.168.2.4	1.1.1.1	0xaa76	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 15:09:19.397770882 CEST	192.168.2.4	1.1.1.1	0x7663	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:19.409250021 CEST	192.168.2.4	1.1.1.1	0xadde	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:19.418804884 CEST	192.168.2.4	1.1.1.1	0x8d67	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 15:09:19.500880957 CEST	192.168.2.4	1.1.1.1	0x25c4	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:19.519229889 CEST	192.168.2.4	1.1.1.1	0x2149	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 15:09:19.535002947 CEST	192.168.2.4	1.1.1.1	0x1176	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:19.549674988 CEST	192.168.2.4	1.1.1.1	0xaecd	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:19.562788963 CEST	192.168.2.4	1.1.1.1	0x8add	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 15:09:26.145869017 CEST	192.168.2.4	1.1.1.1	0xd4cd	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 15:09:28.281375885 CEST	192.168.2.4	1.1.1.1	0x950d	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.282274008 CEST	192.168.2.4	1.1.1.1	0x6680	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.282758951 CEST	192.168.2.4	1.1.1.1	0xb275	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.308391094 CEST	192.168.2.4	1.1.1.1	0x1f98	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.308391094 CEST	192.168.2.4	1.1.1.1	0x3150	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.308610916 CEST	192.168.2.4	1.1.1.1	0xf1a3	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.317255020 CEST	192.168.2.4	1.1.1.1	0x868e	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 24, 2024 15:09:28.317255020 CEST	192.168.2.4	1.1.1.1	0x6e70	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 24, 2024 15:09:28.391731977 CEST	192.168.2.4	1.1.1.1	0xd6a8	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 24, 2024 15:09:28.391731977 CEST	192.168.2.4	1.1.1.1	0x3e40	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.392081976 CEST	192.168.2.4	1.1.1.1	0x401f	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.400471926 CEST	192.168.2.4	1.1.1.1	0x839e	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.400521040 CEST	192.168.2.4	1.1.1.1	0x63a5	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.408389091 CEST	192.168.2.4	1.1.1.1	0xbe42	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 24, 2024 15:09:28.409672022 CEST	192.168.2.4	1.1.1.1	0x61f7	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 24, 2024 15:09:31.180058002 CEST	192.168.2.4	1.1.1.1	0x6ae6	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 15:09:38.222457886 CEST	192.168.2.4	1.1.1.1	0xb1f2	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 24, 2024 15:09:38.241784096 CEST	192.168.2.4	1.1.1.1	0x94c1	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:38.252585888 CEST	192.168.2.4	1.1.1.1	0x8e3c	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:38.261147022 CEST	192.168.2.4	1.1.1.1	0x9fbd	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 24, 2024 15:09:38.272533894 CEST	192.168.2.4	1.1.1.1	0x290a	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:38.284432888 CEST	192.168.2.4	1.1.1.1	0x4a06	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:38.296376944 CEST	192.168.2.4	1.1.1.1	0xac0e	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 15:09:42.949465036 CEST	192.168.2.4	1.1.1.1	0xb48	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:42.965637922 CEST	192.168.2.4	1.1.1.1	0x38d6	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 15:10:02.136504889 CEST	192.168.2.4	1.1.1.1	0x84f3	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:10:03.622176886 CEST	192.168.2.4	1.1.1.1	0xa35e	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:10:03.636934042 CEST	192.168.2.4	1.1.1.1	0xee83	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 15:10:08.377454042 CEST	192.168.2.4	1.1.1.1	0x14e9	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 15:10:44.361490011 CEST	192.168.2.4	1.1.1.1	0x1127	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:10:44.385782957 CEST	192.168.2.4	1.1.1.1	0xbe12	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 24, 2024 15:10:44.985599041 CEST	192.168.2.4	1.1.1.1	0xca3e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 24, 2024 15:09:10.125418901 CEST	1.1.1.1	192.168.2.4	0xbc3b	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:10.165971041 CEST	1.1.1.1	192.168.2.4	0x226b	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:12.459048986 CEST	1.1.1.1	192.168.2.4	0xa172	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:09:12.459048986 CEST	1.1.1.1	192.168.2.4	0xa172	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:12.463584900 CEST	1.1.1.1	192.168.2.4	0xf32c	No error (0)	youtube.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:12.480640888 CEST	1.1.1.1	192.168.2.4	0x9497	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:12.485606909 CEST	1.1.1.1	192.168.2.4	0xb549	No error (0)	youtube.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:12.489712000 CEST	1.1.1.1	192.168.2.4	0x3621	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 24, 2024 15:09:12.502832890 CEST	1.1.1.1	192.168.2.4	0xce55	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 24, 2024 15:09:13.110141039 CEST	1.1.1.1	192.168.2.4	0xb3a6	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:09:13.110141039 CEST	1.1.1.1	192.168.2.4	0xb3a6	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:13.132992983 CEST	1.1.1.1	192.168.2.4	0x9fcf	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:09:13.132992983 CEST	1.1.1.1	192.168.2.4	0x9fcf	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:13.146188974 CEST	1.1.1.1	192.168.2.4	0x9d95	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:13.158036947 CEST	1.1.1.1	192.168.2.4	0xd45	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:09:13.158036947 CEST	1.1.1.1	192.168.2.4	0xd45	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:13.167021036 CEST	1.1.1.1	192.168.2.4	0xc86b	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:14.485760927 CEST	1.1.1.1	192.168.2.4	0xe373	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:14.502881050 CEST	1.1.1.1	192.168.2.4	0x6de3	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:14.521363020 CEST	1.1.1.1	192.168.2.4	0x5e9	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:14.521363020 CEST	1.1.1.1	192.168.2.4	0x5e9	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:14.730287075 CEST	1.1.1.1	192.168.2.4	0xffe5	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:09:14.730287075 CEST	1.1.1.1	192.168.2.4	0xffe5	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:09:14.730287075 CEST	1.1.1.1	192.168.2.4	0xffe5	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:14.743834019 CEST	1.1.1.1	192.168.2.4	0x3cb2	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:14.754295111 CEST	1.1.1.1	192.168.2.4	0xa586	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 24, 2024 15:09:15.744358063 CEST	1.1.1.1	192.168.2.4	0x267d	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:09:16.103682041 CEST	1.1.1.1	192.168.2.4	0x736f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:16.128897905 CEST	1.1.1.1	192.168.2.4	0xfeeb	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:19.402605057 CEST	1.1.1.1	192.168.2.4	0x575f	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:09:19.402605057 CEST	1.1.1.1	192.168.2.4	0x575f	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:19.407411098 CEST	1.1.1.1	192.168.2.4	0x7663	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:09:19.407411098 CEST	1.1.1.1	192.168.2.4	0x7663	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:09:19.407411098 CEST	1.1.1.1	192.168.2.4	0x7663	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:19.418073893 CEST	1.1.1.1	192.168.2.4	0xadde	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:19.498370886 CEST	1.1.1.1	192.168.2.4	0x6b2e	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:19.512564898 CEST	1.1.1.1	192.168.2.4	0x25c4	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:19.545175076 CEST	1.1.1.1	192.168.2.4	0x1176	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:09:19.545175076 CEST	1.1.1.1	192.168.2.4	0x1176	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:19.557969093 CEST	1.1.1.1	192.168.2.4	0xaecd	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:26.144985914 CEST	1.1.1.1	192.168.2.4	0x8830	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.289148092 CEST	1.1.1.1	192.168.2.4	0x950d	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:09:28.289148092 CEST	1.1.1.1	192.168.2.4	0x950d	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.289148092 CEST	1.1.1.1	192.168.2.4	0x950d	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.289148092 CEST	1.1.1.1	192.168.2.4	0x950d	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.289148092 CEST	1.1.1.1	192.168.2.4	0x950d	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.289148092 CEST	1.1.1.1	192.168.2.4	0x950d	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.289148092 CEST	1.1.1.1	192.168.2.4	0x950d	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.289148092 CEST	1.1.1.1	192.168.2.4	0x950d	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.289148092 CEST	1.1.1.1	192.168.2.4	0x950d	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.289148092 CEST	1.1.1.1	192.168.2.4	0x950d	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.289148092 CEST	1.1.1.1	192.168.2.4	0x950d	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.289148092 CEST	1.1.1.1	192.168.2.4	0x950d	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.289148092 CEST	1.1.1.1	192.168.2.4	0x950d	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.289148092 CEST	1.1.1.1	192.168.2.4	0x950d	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.289148092 CEST	1.1.1.1	192.168.2.4	0x950d	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.289148092 CEST	1.1.1.1	192.168.2.4	0x950d	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.289148092 CEST	1.1.1.1	192.168.2.4	0x950d	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.289973974 CEST	1.1.1.1	192.168.2.4	0x6680	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:09:28.289973974 CEST	1.1.1.1	192.168.2.4	0x6680	No error (0)	star-mini.c10r.facebook.com		157.240.252.35	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.290097952 CEST	1.1.1.1	192.168.2.4	0xb275	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:09:28.290097952 CEST	1.1.1.1	192.168.2.4	0xb275	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.316149950 CEST	1.1.1.1	192.168.2.4	0xf1a3	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.316348076 CEST	1.1.1.1	192.168.2.4	0x1f98	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.316792965 CEST	1.1.1.1	192.168.2.4	0x3150	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.316792965 CEST	1.1.1.1	192.168.2.4	0x3150	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.316792965 CEST	1.1.1.1	192.168.2.4	0x3150	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.316792965 CEST	1.1.1.1	192.168.2.4	0x3150	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.316792965 CEST	1.1.1.1	192.168.2.4	0x3150	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.316792965 CEST	1.1.1.1	192.168.2.4	0x3150	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.316792965 CEST	1.1.1.1	192.168.2.4	0x3150	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.316792965 CEST	1.1.1.1	192.168.2.4	0x3150	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.316792965 CEST	1.1.1.1	192.168.2.4	0x3150	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.316792965 CEST	1.1.1.1	192.168.2.4	0x3150	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.316792965 CEST	1.1.1.1	192.168.2.4	0x3150	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.316792965 CEST	1.1.1.1	192.168.2.4	0x3150	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.316792965 CEST	1.1.1.1	192.168.2.4	0x3150	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.316792965 CEST	1.1.1.1	192.168.2.4	0x3150	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.316792965 CEST	1.1.1.1	192.168.2.4	0x3150	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.316792965 CEST	1.1.1.1	192.168.2.4	0x3150	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.324477911 CEST	1.1.1.1	192.168.2.4	0x868e	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 24, 2024 15:09:28.325488091 CEST	1.1.1.1	192.168.2.4	0x6e70	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 24, 2024 15:09:28.399159908 CEST	1.1.1.1	192.168.2.4	0x3e40	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:09:28.399159908 CEST	1.1.1.1	192.168.2.4	0x3e40	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.399159908 CEST	1.1.1.1	192.168.2.4	0x3e40	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.399159908 CEST	1.1.1.1	192.168.2.4	0x3e40	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.399159908 CEST	1.1.1.1	192.168.2.4	0x3e40	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.399187088 CEST	1.1.1.1	192.168.2.4	0x401f	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.399200916 CEST	1.1.1.1	192.168.2.4	0xd6a8	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 24, 2024 15:09:28.399200916 CEST	1.1.1.1	192.168.2.4	0xd6a8	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 24, 2024 15:09:28.399200916 CEST	1.1.1.1	192.168.2.4	0xd6a8	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 24, 2024 15:09:28.399200916 CEST	1.1.1.1	192.168.2.4	0xd6a8	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 24, 2024 15:09:28.407772064 CEST	1.1.1.1	192.168.2.4	0x63a5	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.408921957 CEST	1.1.1.1	192.168.2.4	0x839e	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.408921957 CEST	1.1.1.1	192.168.2.4	0x839e	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.408921957 CEST	1.1.1.1	192.168.2.4	0x839e	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:28.408921957 CEST	1.1.1.1	192.168.2.4	0x839e	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:38.250850916 CEST	1.1.1.1	192.168.2.4	0x94c1	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:38.250850916 CEST	1.1.1.1	192.168.2.4	0x94c1	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:38.250850916 CEST	1.1.1.1	192.168.2.4	0x94c1	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:38.250850916 CEST	1.1.1.1	192.168.2.4	0x94c1	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:38.260550022 CEST	1.1.1.1	192.168.2.4	0x8e3c	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:38.260550022 CEST	1.1.1.1	192.168.2.4	0x8e3c	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:38.260550022 CEST	1.1.1.1	192.168.2.4	0x8e3c	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:38.260550022 CEST	1.1.1.1	192.168.2.4	0x8e3c	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:38.279875040 CEST	1.1.1.1	192.168.2.4	0x290a	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:09:38.279875040 CEST	1.1.1.1	192.168.2.4	0x290a	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:38.293262959 CEST	1.1.1.1	192.168.2.4	0x4a06	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:09:39.545177937 CEST	1.1.1.1	192.168.2.4	0x13c3	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:09:39.545177937 CEST	1.1.1.1	192.168.2.4	0x13c3	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:09:42.956985950 CEST	1.1.1.1	192.168.2.4	0xb48	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:10:02.144058943 CEST	1.1.1.1	192.168.2.4	0x84f3	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:10:02.144058943 CEST	1.1.1.1	192.168.2.4	0x84f3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:10:03.636123896 CEST	1.1.1.1	192.168.2.4	0xa35e	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:10:08.359217882 CEST	1.1.1.1	192.168.2.4	0xa288	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:10:44.372858047 CEST	1.1.1.1	192.168.2.4	0x1127	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:10:44.995280981 CEST	1.1.1.1	192.168.2.4	0xca3e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:10:44.995280981 CEST	1.1.1.1	192.168.2.4	0xca3e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	60888	34.107.221.82	80	7716	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 15:09:13.108356953 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 15:09:13.705410957 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 16:12:19 GMT Age: 75414 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	52341	34.107.221.82	80	7716	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 15:09:14.702099085 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 15:09:15.308559895 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 14:23:13 GMT Age: 81962 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 15:09:15.468096018 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 15:09:15.596549988 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 14:23:13 GMT Age: 81962 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 15:09:16.087970972 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 15:09:16.215101957 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 14:23:13 GMT Age: 81963 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 15:09:24.707501888 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 15:09:24.838274956 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 14:23:13 GMT Age: 81971 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 15:09:26.659394026 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 15:09:26.787878990 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 14:23:13 GMT Age: 81973 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 15:09:28.282274961 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 15:09:28.408986092 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 14:23:13 GMT Age: 81975 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 15:09:30.313569069 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 15:09:30.440723896 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 14:23:13 GMT Age: 81977 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 15:09:31.941668987 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 15:09:32.068658113 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 14:23:13 GMT Age: 81979 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 15:09:38.993985891 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 15:09:39.120716095 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 14:23:13 GMT Age: 81986 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 15:09:39.664635897 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 15:09:39.792711973 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 14:23:13 GMT Age: 81986 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 15:09:43.714370012 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 15:09:43.841043949 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 14:23:13 GMT Age: 81990 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 15:09:53.849107027 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 15:10:02.792438984 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 15:10:03.162349939 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 14:23:13 GMT Age: 82010 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 15:10:04.378837109 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 15:10:04.505691051 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 14:23:13 GMT Age: 82011 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 15:10:09.127932072 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 15:10:09.256161928 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 14:23:13 GMT Age: 82016 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 15:10:19.263956070 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 15:10:29.344358921 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 15:10:39.357492924 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 15:10:45.117944956 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 24, 2024 15:10:45.245661020 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 23 Oct 2024 14:23:13 GMT Age: 82052 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 24, 2024 15:10:55.251183987 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 15:11:05.263964891 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	52342	34.107.221.82	80	7716	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 15:09:14.702536106 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 15:09:15.309947968 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 16:12:19 GMT Age: 75416 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 15:09:15.735368967 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 15:09:15.862607956 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 16:12:19 GMT Age: 75416 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 15:09:19.523658037 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 15:09:19.822163105 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 16:12:19 GMT Age: 75420 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 15:09:19.881464005 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 16:12:19 GMT Age: 75420 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 15:09:26.129920959 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 15:09:26.258101940 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 16:12:19 GMT Age: 75427 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 15:09:27.999778032 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 15:09:28.127238035 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 16:12:19 GMT Age: 75429 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 15:09:29.934782982 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 15:09:30.061924934 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 16:12:19 GMT Age: 75430 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 15:09:31.811088085 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 15:09:31.938244104 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 16:12:19 GMT Age: 75432 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 15:09:38.863866091 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 15:09:38.990814924 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 16:12:19 GMT Age: 75439 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 15:09:39.533725977 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 15:09:39.661006927 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 16:12:19 GMT Age: 75440 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 15:09:43.582696915 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 15:09:43.710369110 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 16:12:19 GMT Age: 75444 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 15:09:53.711184025 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 15:10:02.136648893 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 15:10:02.788386106 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 16:12:19 GMT Age: 75463 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 15:10:02.788816929 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 16:12:19 GMT Age: 75463 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 15:10:02.788885117 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 16:12:19 GMT Age: 75463 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 15:10:04.247343063 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 15:10:04.374994040 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 16:12:19 GMT Age: 75465 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 15:10:08.973711014 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 15:10:09.102569103 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 16:12:19 GMT Age: 75470 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 15:10:19.114707947 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 15:10:29.344357967 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 15:10:39.357496977 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 15:10:44.985311031 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 24, 2024 15:10:45.113738060 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 23 Oct 2024 16:12:19 GMT Age: 75506 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 24, 2024 15:10:55.119661093 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 15:11:05.132282019 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 24, 2024 15:11:15.145026922 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	09:09:02
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x880000
File size:	919'552 bytes
MD5 hash:	7204A55ED486CEE5061C0518D9F594AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:09:02
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x650000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:09:02
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:09:04
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x650000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:09:04
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:09:05
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x650000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:09:05
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:09:05
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x650000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:09:05
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:09:05
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x650000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:09:05
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:09:05
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:09:05
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:09:05
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	09:09:06
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2200 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {baac71d5-40f3-4bd6-b9a2-f58f729b2199} 7716 "\\.\pipe\gecko-crash-server-pipe.7716" 27bffd70310 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	09:09:09
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4052 -parentBuildID 20230927232528 -prefsHandle 1540 -prefMapHandle 4036 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0d14240-9cd3-49bb-8984-b5bc4d0eecb7} 7716 "\\.\pipe\gecko-crash-server-pipe.7716" 27b9223cb10 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	09:09:18
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5340 -prefMapHandle 5352 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {316c6cfb-6661-4d2d-9a1c-1d3edad563fa} 7716 "\\.\pipe\gecko-crash-server-pipe.7716" 27b9e0a7110 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	1553
Total number of Limit Nodes:	58

Executed Functions

Function 008842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0088430D

Part of subcall function 00886B57: _wcslen.LIBCMT ref: 00886B6A

GetCurrentProcess.KERNEL32(?,0091CB64,00000000,?,?), ref: 00884422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00884429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00884454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00884466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00884474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0088447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008844A0

Strings

kernel32.dll, xrefs: 0088444F
GetNativeSystemInfo, xrefs: 00884460
|O, xrefs: 008C36F8

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: d62a8f1533483c2def36b5203ff04d5c4dc630bdd52fd6971769541f610e5e74
Instruction ID: c60c7a29d59642046ac10e4b8a27d1e7bd921e529f99146a81c5dc1ee721f27f
Opcode Fuzzy Hash: d62a8f1533483c2def36b5203ff04d5c4dc630bdd52fd6971769541f610e5e74
Instruction Fuzzy Hash: 56A1A26293E3C4DFC711E76BBC617957FA4BF3634AB0898ADE041D3A21D2304949EB25

Function 008842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008850AA,?,?,00000000,00000000), ref: 008842B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008850AA,?,?,00000000,00000000), ref: 008842C9
LoadResource.KERNEL32(?,00000000,?,?,008850AA,?,?,00000000,00000000,?,?,?,?,?,?,00884F20), ref: 008C35BE
SizeofResource.KERNEL32(?,00000000,?,?,008850AA,?,?,00000000,00000000,?,?,?,?,?,?,00884F20), ref: 008C35D3
LockResource.KERNEL32(008850AA,?,?,008850AA,?,?,00000000,00000000,?,?,?,?,?,?,00884F20,?), ref: 008C35E6

Strings

SCRIPT, xrefs: 008842BF

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 5158cd7bd6dba36957cf76ffc89763180ce4e7852ea8650f1f6663fa87c67b49
Instruction ID: 0f6b70d8adbd806d4d2808e26776a23d8bde5604fca422951474a8d8932bea12
Opcode Fuzzy Hash: 5158cd7bd6dba36957cf76ffc89763180ce4e7852ea8650f1f6663fa87c67b49
Instruction Fuzzy Hash: 4011ACB1344305BFD7219B65DC48F677BB9FBC9B55F108569B412C6250DBB2D800D620

Function 008C2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00882B6B

Part of subcall function 00883A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00951418,?,00882E7F,?,?,?,00000000), ref: 00883A78

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00942224), ref: 008C2C10
ShellExecuteW.SHELL32(00000000,?,?,00942224), ref: 008C2C17

Strings

runas, xrefs: 008C2C0B

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 0f02a7378bd4ce07f5dbc668e5b19c010b555638358dc21db92bd9fb58720b96
Instruction ID: dc1fb6bd80b61490537ea2a46cea31fd0e3106122316bf3dc148349d8cf0aeb1
Opcode Fuzzy Hash: 0f02a7378bd4ce07f5dbc668e5b19c010b555638358dc21db92bd9fb58720b96
Instruction Fuzzy Hash: 9C11BE31208305AAC715FF68E852EBEB7A4FB95765F48142DF082D21E2CF218A4AD713

Function 008ED4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008ED501
Process32FirstW.KERNEL32(00000000,?), ref: 008ED50F
Process32NextW.KERNEL32(00000000,?), ref: 008ED52F
CloseHandle.KERNELBASE(00000000), ref: 008ED5DC

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: bd3e66cc4eb8f3a7eac7e4e6186f9f15283bef2deaf6b01aa3e9ec3bea638696
Instruction ID: 0e086edd5fd0ddbb527797945510f3851dae77ea575c645418fe20939e747469
Opcode Fuzzy Hash: bd3e66cc4eb8f3a7eac7e4e6186f9f15283bef2deaf6b01aa3e9ec3bea638696
Instruction Fuzzy Hash: E6317E71108341AFD304EF58C885AAFBBE8FF99354F14092DF581D61A1EB71AA49CB93

Function 008EDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,008C5222), ref: 008EDBCE
GetFileAttributesW.KERNELBASE(?), ref: 008EDBDD
FindFirstFileW.KERNEL32(?,?), ref: 008EDBEE
FindClose.KERNEL32(00000000), ref: 008EDBFA

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 5bfa242c1e36fa97c58a67d227672a03bf7df5d7cbff8534b0954c3a5da79bf4
Instruction ID: fe7ac88ffb42ac122eddb7dba32326c2316d53c2390438353bbeca957e99ca59
Opcode Fuzzy Hash: 5bfa242c1e36fa97c58a67d227672a03bf7df5d7cbff8534b0954c3a5da79bf4
Instruction Fuzzy Hash: 4CF0EC704686145782206B7C9C0D4EA376CEF03374B208702F435C11F0EBB09D58D5D6

Function 008A4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008B28E9,?,008A4CBE,008B28E9,009488B8,0000000C,008A4E15,008B28E9,00000002,00000000,?,008B28E9), ref: 008A4D09
TerminateProcess.KERNEL32(00000000,?,008A4CBE,008B28E9,009488B8,0000000C,008A4E15,008B28E9,00000002,00000000,?,008B28E9), ref: 008A4D10
ExitProcess.KERNEL32 ref: 008A4D22

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 301272f74f2cbb7af78f7c33410a2fcb76987c0b24a4c2e7ab5cf04c060239c0
Instruction ID: 9d2787c340cdcf857163db68a9ea59a646fe84361be19f9af7ee43761970f64d
Opcode Fuzzy Hash: 301272f74f2cbb7af78f7c33410a2fcb76987c0b24a4c2e7ab5cf04c060239c0
Instruction Fuzzy Hash: E0E0B671154148ABDF11AF58DE09A987B69FB82785B108014FD15CA632DB75DE42EB80

Function 0090AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0090B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0090B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0090B1D4
_wcslen.LIBCMT ref: 0090B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0090B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0090B236
_wcslen.LIBCMT ref: 0090B332

Part of subcall function 008F05A7: GetStdHandle.KERNEL32(000000F6), ref: 008F05C6

_wcslen.LIBCMT ref: 0090B34B
_wcslen.LIBCMT ref: 0090B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0090B3B6
GetLastError.KERNEL32(00000000), ref: 0090B407
CloseHandle.KERNEL32(?), ref: 0090B439
CloseHandle.KERNEL32(00000000), ref: 0090B44A
CloseHandle.KERNEL32(00000000), ref: 0090B45C
CloseHandle.KERNEL32(00000000), ref: 0090B46E
CloseHandle.KERNEL32(?), ref: 0090B4E3

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: d689ff72e57a66a004c1d32295857685f4d491a33f93266eb7da7be7b2508894
Instruction ID: d129d29f779fb57ecdbf59063c54ec87e20bad19d603ac4cd2ae348bc6dc0fc0
Opcode Fuzzy Hash: d689ff72e57a66a004c1d32295857685f4d491a33f93266eb7da7be7b2508894
Instruction Fuzzy Hash: 26F17B716082409FCB14EF28C891B6EBBE5FF85714F18895DF8959B2A2DB31EC44CB52

Function 0088D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0088D807
timeGetTime.WINMM ref: 0088DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0088DB28
TranslateMessage.USER32(?), ref: 0088DB7B
DispatchMessageW.USER32(?), ref: 0088DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0088DB9F
Sleep.KERNELBASE(0000000A), ref: 0088DBB1

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: a2f553b4057098d65056511f21eff7a6d1410ba26339458e53068071f6c6ef18
Instruction ID: 8ae5821de2cc025083bd6dd2497f3bdbb7dc5a47bd24ee16d586ea4699358ac4
Opcode Fuzzy Hash: a2f553b4057098d65056511f21eff7a6d1410ba26339458e53068071f6c6ef18
Instruction Fuzzy Hash: EF42EF70608345EFDB28EF28C844BAABBE1FF96314F14865AE495C7391D770E844DB92

Function 00882CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00882D07
RegisterClassExW.USER32(00000030), ref: 00882D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00882D42
InitCommonControlsEx.COMCTL32(?), ref: 00882D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00882D6F
LoadIconW.USER32(000000A9), ref: 00882D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00882D94

Strings

TaskbarCreated, xrefs: 00882D37
AutoIt v3 GUI, xrefs: 00882D23
+, xrefs: 00882CF0
0, xrefs: 00882CE9

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 24b51536be07406fe832f1b2b30246bce656d7d829a97fe9934dc9edfaee302d
Instruction ID: cc8700d5c8826271a28463271080ea3b78c7ac9e5666311dca1e63aa0d47bc6d
Opcode Fuzzy Hash: 24b51536be07406fe832f1b2b30246bce656d7d829a97fe9934dc9edfaee302d
Instruction Fuzzy Hash: 5921C4B5E65318AFDB00DFA5EC59BDDBBB4FB08701F00811AF511A62A0D7B14644EF91

Function 008C065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008C039A: CreateFileW.KERNELBASE(00000000,00000000,?,008C0704,?,?,00000000,?,008C0704,00000000,0000000C), ref: 008C03B7

GetLastError.KERNEL32 ref: 008C076F
__dosmaperr.LIBCMT ref: 008C0776
GetFileType.KERNELBASE(00000000), ref: 008C0782
GetLastError.KERNEL32 ref: 008C078C
__dosmaperr.LIBCMT ref: 008C0795
CloseHandle.KERNEL32(00000000), ref: 008C07B5
CloseHandle.KERNEL32(?), ref: 008C08FF
GetLastError.KERNEL32 ref: 008C0931
__dosmaperr.LIBCMT ref: 008C0938

Strings

H, xrefs: 008C08BD

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: a4ca73ce52290f3eaf8f7840d7306f6e38f74663e7a883f787736691f1946e8c
Instruction ID: bfe13d1c4eca2de7f6b11fac5cfed073e40d9628dd19359993c5b3e9c8141c39
Opcode Fuzzy Hash: a4ca73ce52290f3eaf8f7840d7306f6e38f74663e7a883f787736691f1946e8c
Instruction Fuzzy Hash: 74A10132A142088FDF19AFA8D851BAE3BB0FB4A364F14415DF811DB292D731D912DF92

Function 0088344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00883A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00951418,?,00882E7F,?,?,?,00000000), ref: 00883A78

Part of subcall function 00883357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00883379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0088356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008C318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008C31CE
RegCloseKey.ADVAPI32(?), ref: 008C3210
_wcslen.LIBCMT ref: 008C3277
_wcslen.LIBCMT ref: 008C3286

Strings

Include, xrefs: 008C3184, 008C31C5
\Include\, xrefs: 00883527
\, xrefs: 008C328C
Software\AutoIt v3\AutoIt, xrefs: 00883560

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 0577bf6a123fe911a69ee93516c677b80e9c5c01a76386b36638e12bd0a69e68
Instruction ID: ef878ea75e2d1aed095ce3e340f9f286a2faed59e060869f9b955bb7923d6416
Opcode Fuzzy Hash: 0577bf6a123fe911a69ee93516c677b80e9c5c01a76386b36638e12bd0a69e68
Instruction Fuzzy Hash: 3D717F715183019EC714EF6AEC819ABBBE8FF86B41F40442EF545D71A0EB30DA49DB52

Function 00882B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00882B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00882B9D
LoadIconW.USER32(00000063), ref: 00882BB3
LoadIconW.USER32(000000A4), ref: 00882BC5
LoadIconW.USER32(000000A2), ref: 00882BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00882BEF
RegisterClassExW.USER32(?), ref: 00882C40

Part of subcall function 00882CD4: GetSysColorBrush.USER32(0000000F), ref: 00882D07
Part of subcall function 00882CD4: RegisterClassExW.USER32(00000030), ref: 00882D31
Part of subcall function 00882CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00882D42
Part of subcall function 00882CD4: InitCommonControlsEx.COMCTL32(?), ref: 00882D5F
Part of subcall function 00882CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00882D6F
Part of subcall function 00882CD4: LoadIconW.USER32(000000A9), ref: 00882D85
Part of subcall function 00882CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00882D94

Strings

AutoIt v3, xrefs: 00882C2F
#, xrefs: 00882C16
0, xrefs: 00882C0F

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: eb55fb7a55786c3bf3fc5813622340c88480822fbadde941128e4f0ffc60b175
Instruction ID: af5270951c1c09eb049e6fc5a1dc2a938bf28d465a5477b909df4a8d6858e11a
Opcode Fuzzy Hash: eb55fb7a55786c3bf3fc5813622340c88480822fbadde941128e4f0ffc60b175
Instruction Fuzzy Hash: A1216FB4E68318AFDB109FA6EC65BED7FB4FB08B51F00415AF500A66A0D3B10940EF90

Function 00883170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0088316A,?,?), ref: 008831D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0088316A,?,?), ref: 00883204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00883227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0088316A,?,?), ref: 00883232
CreatePopupMenu.USER32 ref: 00883246
PostQuitMessage.USER32(00000000), ref: 00883267

Strings

TaskbarCreated, xrefs: 0088322D

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 63434b8802e2162f7cbd4d951a46fd1c5b8475fd58e0d894ed52974548dfc8f0
Instruction ID: bc6a3ee169db6775082a526c2adeddc5f9a0124885637c58f5a91dfb7f614a70
Opcode Fuzzy Hash: 63434b8802e2162f7cbd4d951a46fd1c5b8475fd58e0d894ed52974548dfc8f0
Instruction Fuzzy Hash: 15412735258308A7DB257B78AC1DBBD3A69F705F06F044125F902C52E2CBB09A40E762

Function 00881410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00881459
CoUninitialize.COMBASE ref: 008814F8
UnregisterHotKey.USER32(?), ref: 008816DD
DestroyWindow.USER32(?), ref: 008C24B9
FreeLibrary.KERNEL32(?), ref: 008C251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 008C254B

Strings

close all, xrefs: 00881454

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 854e944bfc45150e5ac076b85035a3b310671e050f3492f4a9e498049d57d184
Instruction ID: f13a35e9271b8a475c256355eec35a48025a35b0ac3d8a6fe79fe01e36624dcf
Opcode Fuzzy Hash: 854e944bfc45150e5ac076b85035a3b310671e050f3492f4a9e498049d57d184
Instruction Fuzzy Hash: 6AD113717012128BCB29EF19C899E69F7A4FF05714F1442ADE54AEB292DB30ED12CF51

Function 00882C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00882C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00882CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00881CAD,?), ref: 00882CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00881CAD,?), ref: 00882CCF

Strings

AutoIt v3, xrefs: 00882C89, 00882C8E, 00882C8F
edit, xrefs: 00882CAC

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 1003a25a081451e6539d06d4bc934639b9ce5211156f9066a485d26bf196fa29
Instruction ID: cf46db15b523e638dfb985015c25a4aa9f62fc3352821d3ef64daaec5f796173
Opcode Fuzzy Hash: 1003a25a081451e6539d06d4bc934639b9ce5211156f9066a485d26bf196fa29
Instruction Fuzzy Hash: 87F03AB56A53947AEB300713AC18FB72EBDD7C6F61F01401AF900A21B0C2710840EBB0

Function 00883B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00883B0F,SwapMouseButtons,00000004,?), ref: 00883B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00883B0F,SwapMouseButtons,00000004,?), ref: 00883B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00883B0F,SwapMouseButtons,00000004,?), ref: 00883B83

Strings

Control Panel\Mouse, xrefs: 00883B3E

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 7474fa0dcbb12aa6cce67d9f7524ede0d804ccac604ec1ffb3d6b0bd3193b6b8
Instruction ID: e032a7eb7584eac7938e95a5ec572ad06d466b03e25b951d9781c21c97db7dc1
Opcode Fuzzy Hash: 7474fa0dcbb12aa6cce67d9f7524ede0d804ccac604ec1ffb3d6b0bd3193b6b8
Instruction Fuzzy Hash: AB112AB5620208FFDB20DFA5DC44AEEB7B8FF05B94B108459A805D7110E2319F40A760

Function 00883923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008C33A2

Part of subcall function 00886B57: _wcslen.LIBCMT ref: 00886B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00883A04

Strings

Line: , xrefs: 008C33EB

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 81ff6135e333ae1d919143afd8e1a04b38e9da0ee446be89bec722314cdac691
Instruction ID: 92dda882688d04adc7145cbff82025f1e33aedf60e303c42edd4478c303ad8b7
Opcode Fuzzy Hash: 81ff6135e333ae1d919143afd8e1a04b38e9da0ee446be89bec722314cdac691
Instruction Fuzzy Hash: 3231CE71518304AAD725FB28EC45BEBB7E8FB81B14F00492AF599D2191EB709A49C7C3

Function 0089FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 008A0668

Part of subcall function 008A32A4: RaiseException.KERNEL32(?,?,?,008A068A,?,00951444,?,?,?,?,?,?,008A068A,00881129,00948738,00881129), ref: 008A3304

__CxxThrowException@8.LIBVCRUNTIME ref: 008A0685

Strings

Unknown exception, xrefs: 008A0692

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 1faea02e25444cf5ab38ab557d57975b7f81c1e7fda9265212350de9cd65a11b
Instruction ID: 00b63258e11765e73b51b0fc0949697ae677703169afc284603087a7fd438027
Opcode Fuzzy Hash: 1faea02e25444cf5ab38ab557d57975b7f81c1e7fda9265212350de9cd65a11b
Instruction Fuzzy Hash: 11F0FF3490030C639F04B6A8D846D9E776CFE42358B604030B914D2C92EF70EA25CA82

Function 008810F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00881BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00881BF4
Part of subcall function 00881BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00881BFC
Part of subcall function 00881BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00881C07
Part of subcall function 00881BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00881C12
Part of subcall function 00881BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00881C1A
Part of subcall function 00881BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00881C22

Part of subcall function 00881B4A: RegisterWindowMessageW.USER32(00000004,?,008812C4), ref: 00881BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0088136A
OleInitialize.OLE32 ref: 00881388
CloseHandle.KERNEL32(00000000,00000000), ref: 008C24AB

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 3a2cc49636f23ca50479789f473d357950d302fa14a00daf97dbfaa9ae17cf0a
Instruction ID: 642e690e563de54df476ee924941194e091bdb2244f2cfd8e9fe0c508a431f78
Opcode Fuzzy Hash: 3a2cc49636f23ca50479789f473d357950d302fa14a00daf97dbfaa9ae17cf0a
Instruction Fuzzy Hash: A571BCB49293008FC798EF7FA9457953AE4FB88346754862AE51AC7371FB304846EF41

Function 008EC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00883923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00883A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008EC259
KillTimer.USER32(?,00000001,?,?), ref: 008EC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008EC270

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 8025cee67d9dd35cf2abee5a53264f508942cffaaf06742d607948bf95480b98
Instruction ID: 43ee7fbccd3cc35be707a373de39c42b349d8bc0de0fd62393f9c371c2843cc5
Opcode Fuzzy Hash: 8025cee67d9dd35cf2abee5a53264f508942cffaaf06742d607948bf95480b98
Instruction Fuzzy Hash: A7318470904384AFEB229F658855BE6BBECEB07308F00449AD69AD7241C7745A85DB51

Function 008B86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,008B85CC,?,00948CC8,0000000C), ref: 008B8704
GetLastError.KERNEL32(?,008B85CC,?,00948CC8,0000000C), ref: 008B870E
__dosmaperr.LIBCMT ref: 008B8739

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 28732caee981ebeb5f82ee2e128be70c6fb5a9fbf2a919c22b21cda821d7567b
Instruction ID: 9e5f18822a16487e500430168606a4d7d75d0871dd8f01446107c857cd40b58c
Opcode Fuzzy Hash: 28732caee981ebeb5f82ee2e128be70c6fb5a9fbf2a919c22b21cda821d7567b
Instruction Fuzzy Hash: C2016B32608320A6D6647238A8497FF2B8DEBA7778F380119F814CB3D2DEA08C85C251

Function 0088DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0088DB7B
DispatchMessageW.USER32(?), ref: 0088DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0088DB9F
Sleep.KERNELBASE(0000000A), ref: 0088DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 008D1CC9

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 09d0508acf213363a52894f1c6da2dc3e6d48a83c8e9a1d5f90fff94b062a4b8
Instruction ID: 016c64167f64ea2d982cbe52beeb07d81d59dfb765ec0e58ba6ed6ed0e9c82fb
Opcode Fuzzy Hash: 09d0508acf213363a52894f1c6da2dc3e6d48a83c8e9a1d5f90fff94b062a4b8
Instruction Fuzzy Hash: F3F05E70668340ABEB30DB618C49FEA73A9FF44311F108A19E60AC30C0DB70A488DB15

Function 00891310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008917F6

Strings

CALL, xrefs: 008917C6

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: de78a15285c328b84415a7287387521e0d09ed3ee847238b076e044e9e5a6c22
Instruction ID: 40e4c69cba103cda3eb385e9cb3f19c4fa41de59f501a4ce849a64aa3ae558a4
Opcode Fuzzy Hash: de78a15285c328b84415a7287387521e0d09ed3ee847238b076e044e9e5a6c22
Instruction Fuzzy Hash: EB226B706082069FCB14EF18C484A2ABBF1FF89314F19896DF596CB362D771E855CB92

Function 00882DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 008C2C8C

Part of subcall function 00883AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00883A97,?,?,00882E7F,?,?,?,00000000), ref: 00883AC2

Part of subcall function 00882DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00882DC4

Strings

X, xrefs: 008C2C5A

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 26f4f6b232fec7e03dd76b4afa1db6298994d99c539a79ffcdbef8c7eeb08029
Instruction ID: c4a2da87e8949b29f2a9767c930fe33ba0626726fe9ae371503169a1da45a62b
Opcode Fuzzy Hash: 26f4f6b232fec7e03dd76b4afa1db6298994d99c539a79ffcdbef8c7eeb08029
Instruction Fuzzy Hash: B121C371A102589FCF01EF98C849BEE7BF8FF49714F008059E405E7241DBB49A498B62

Function 00883837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00883908

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 087c7537875f6ef1aed29f951aa64eccf569419f2452953fd8308e70f2f79b36
Instruction ID: 6e8029acc99a5bbb99572c46208b2e1ba60b519bed98c81775a341dc8674d44c
Opcode Fuzzy Hash: 087c7537875f6ef1aed29f951aa64eccf569419f2452953fd8308e70f2f79b36
Instruction Fuzzy Hash: C03191B06083019FD720EF25D894797BBE8FB49709F00092EF99AD3250E771AA44DB52

Function 0089F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0089F661

Part of subcall function 0088D730: GetInputState.USER32 ref: 0088D807

Sleep.KERNEL32(00000000), ref: 008DF2DE

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 1c572d53cb359183fcf7c6b6128e1e339a3544b4fe6f5a4a6d8b0ea02873daf0
Instruction ID: a25be7f285b835c634bc65145f554d7a62a5cbac09d062c9ee69eed44eb18c70
Opcode Fuzzy Hash: 1c572d53cb359183fcf7c6b6128e1e339a3544b4fe6f5a4a6d8b0ea02873daf0
Instruction Fuzzy Hash: 36F082712843059FD314FF69D445B5ABBE4FF45761F004029E859C73A1DB70B800CB91

Function 00884ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00884E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00884EDD,?,00951418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00884E9C
Part of subcall function 00884E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00884EAE
Part of subcall function 00884E90: FreeLibrary.KERNEL32(00000000,?,?,00884EDD,?,00951418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00884EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00951418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00884EFD

Part of subcall function 00884E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,008C3CDE,?,00951418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00884E62
Part of subcall function 00884E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00884E74
Part of subcall function 00884E59: FreeLibrary.KERNEL32(00000000,?,?,008C3CDE,?,00951418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00884E87

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 5cb913f15105cf838e85e36c05f0f67c1912bdce08b9ed613e160e5e2ad80528
Instruction ID: 7d931574b49efa688b0c474d7c3c7d96dde3cd5612353a45d6f9e734065bde4b
Opcode Fuzzy Hash: 5cb913f15105cf838e85e36c05f0f67c1912bdce08b9ed613e160e5e2ad80528
Instruction Fuzzy Hash: 1311E332650206AADB24BF68DC02FAD77A5FF40714F10842EF642E61C1EE70DE459751

Function 008B8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 008B8440

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 27d9446163fbb182e01691068916ed9c9b46b39f111d48d9440925fdeb9291e5
Instruction ID: 2238151445153cbfa06d58f5a572b2c0aca4301b5d5688a2dd261a682de0625f
Opcode Fuzzy Hash: 27d9446163fbb182e01691068916ed9c9b46b39f111d48d9440925fdeb9291e5
Instruction Fuzzy Hash: 0A11F57590420AEFCB05DF58E941ADA7BF9FF48314F104059F808EB312DA31DA15CBA5

Function 008B5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008B4C7D: RtlAllocateHeap.NTDLL(00000008,00881129,00000000,?,008B2E29,00000001,00000364,?,?,?,008AF2DE,008B3863,00951444,?,0089FDF5,?), ref: 008B4CBE

_free.LIBCMT ref: 008B506C

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: e7f9b20b27bf42c2c0c98e1274ea5d9f00fd8958927035f262fb3a168e5dbad5
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 27012672204B056BE321DE699881A9AFBE8FB89370F25051DE184C3380EA30A806C6B4

Function 008AE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 5b4df9388b642191c08c648c224625f9d3e0975d4d2ccc078e62504fce6380ff
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 3EF0D132510A14A6E6313E6D8C09B9A379CFF63334F140F15F426D2AD2DA749806C6AA

Function 008B4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00881129,00000000,?,008B2E29,00000001,00000364,?,?,?,008AF2DE,008B3863,00951444,?,0089FDF5,?), ref: 008B4CBE

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7cef05842524357178144f94371692aa93a9919fa0b1067d272c6d6de5384564
Instruction ID: e876cd3c1dafc6a09fd86eb1e6f63af9f65b61b6bdb1bccb60834c818c6358f0
Opcode Fuzzy Hash: 7cef05842524357178144f94371692aa93a9919fa0b1067d272c6d6de5384564
Instruction Fuzzy Hash: E9F0243120622867EB211F669C16BDA3F88FF81BA1B146121F819E6383CAB0DC0082E0

Function 008B3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00951444,?,0089FDF5,?,?,0088A976,00000010,00951440,008813FC,?,008813C6,?,00881129), ref: 008B3852

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c7ef6231cf9e61a5f14dc73eaf2a214d78e0cde3529c3b23033ed82a9a41366b
Instruction ID: dbf0cb134de73e8141d98b2a1db4e33c61fd8124e82548575c89159cae94d7c1
Opcode Fuzzy Hash: c7ef6231cf9e61a5f14dc73eaf2a214d78e0cde3529c3b23033ed82a9a41366b
Instruction Fuzzy Hash: B2E0E53114422567EB2126AB9C00BDA3648FB827B0F060030BC14D2B91DBA0EE0182E3

Function 00884F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00951418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00884F6D

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3fd7a016c2d1eb3d460131ea484698cc80ce3f3976bdeddf3644ee5c5600bfce
Instruction ID: 1669959087c2c0666fb828d81290c945103dfe4758996db80f1a9e8eca317bac
Opcode Fuzzy Hash: 3fd7a016c2d1eb3d460131ea484698cc80ce3f3976bdeddf3644ee5c5600bfce
Instruction Fuzzy Hash: 29F03072145752CFDB34AF64D490812B7E4FF143193159D7EE2DAC2511CB319844DF10

Function 00912A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00912A66

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 35ff09b96bf5d94b44d9fcfec9d8af1940b909744bce7a35f71547be68d8e10d
Instruction ID: 283d7d9fd1e482366126d3e8dddd3c16fb6b7f36bf1287a337de197fd930ede9
Opcode Fuzzy Hash: 35ff09b96bf5d94b44d9fcfec9d8af1940b909744bce7a35f71547be68d8e10d
Instruction Fuzzy Hash: 12E0DF3239421EAACB10FB34DC848FA734CEF11390710443AAC1AC2140DB34A9A182A0

Function 008830F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0088314E

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: ef935bbba7e07226c33fcfc16d0f5fa1ce7d7329546b0e6ab42573160cf15a53
Instruction ID: 376cf6b15da249d8436c1a6d3f45ece9948dc6c327ab7195da83586287f29bef
Opcode Fuzzy Hash: ef935bbba7e07226c33fcfc16d0f5fa1ce7d7329546b0e6ab42573160cf15a53
Instruction Fuzzy Hash: A6F037709183149FEB529B24DC497D57BBCB701708F0000E5A548D6291D7745788CF51

Function 00882DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00882DC4

Part of subcall function 00886B57: _wcslen.LIBCMT ref: 00886B6A

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: ae7858628f0be26b4416918ab6c4b81de9da0346f1519d2360121db22bfe9c9c
Instruction ID: 9f6b8347e89106f9ff90c0e2f3fa0e5aaab76241a0e42043a99dc0a5732c2305
Opcode Fuzzy Hash: ae7858628f0be26b4416918ab6c4b81de9da0346f1519d2360121db22bfe9c9c
Instruction Fuzzy Hash: DFE0CD726042245BCB10A25C9C09FDA77EDEFC8790F044075FD09D7248D970ED80C651

Function 00882B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00883837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00883908

Part of subcall function 0088D730: GetInputState.USER32 ref: 0088D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00882B6B

Part of subcall function 008830F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0088314E

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 15bc1e404ea5a0341de99aad75aa6abb65d7f5e70db4d92c8048973ff9d874cc
Instruction ID: 5dc35d25c066eb68223553724769aa995477cdf1299ebf6b677f627b112abd4e
Opcode Fuzzy Hash: 15bc1e404ea5a0341de99aad75aa6abb65d7f5e70db4d92c8048973ff9d874cc
Instruction Fuzzy Hash: 7AE0862130434506CA14BB7DA8525BDA759FBD5756F40153EF542C71B2CE2449498353

Function 008C039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,008C0704,?,?,00000000,?,008C0704,00000000,0000000C), ref: 008C03B7

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 413ce17e41e44b1fdd09f51b6e222c3adefe40586b4ad42ec04dbf39da488367
Instruction ID: bd8407aa23ac3f9d43dac8fa90a6169907ed27c0570030836ca15ac616f99a1b
Opcode Fuzzy Hash: 413ce17e41e44b1fdd09f51b6e222c3adefe40586b4ad42ec04dbf39da488367
Instruction Fuzzy Hash: 13D06C3219410DBBDF028F84DD06EDA3BAAFB48714F018000BE1856020C732E821EB90

Function 00881CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00881CBC

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 0b0f9253642ed4f1d228144fbe124180923c7064a01b439bdd8fd22015bcdf62
Instruction ID: d23b72e2465eece397870ca7cfc25e436473e11f75da6cbc0642f1d13edcca0b
Opcode Fuzzy Hash: 0b0f9253642ed4f1d228144fbe124180923c7064a01b439bdd8fd22015bcdf62
Instruction Fuzzy Hash: 41C092363EC304AFF3158B81BC5AF507765A348B02F048401F609A96F3D3B22820FB50

Non-executed Functions

Function 00919576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0091961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0091965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0091969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009196C9
SendMessageW.USER32 ref: 009196F2
GetKeyState.USER32(00000011), ref: 0091978B
GetKeyState.USER32(00000009), ref: 00919798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009197AE
GetKeyState.USER32(00000010), ref: 009197B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009197E9
SendMessageW.USER32 ref: 00919810
SendMessageW.USER32(?,00001030,?,00917E95), ref: 00919918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0091992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00919941
SetCapture.USER32(?), ref: 0091994A
ClientToScreen.USER32(?,?), ref: 009199AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009199BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009199D6
ReleaseCapture.USER32 ref: 009199E1
GetCursorPos.USER32(?), ref: 00919A19
ScreenToClient.USER32(?,?), ref: 00919A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00919A80
SendMessageW.USER32 ref: 00919AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00919AEB
SendMessageW.USER32 ref: 00919B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00919B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00919B4A
GetCursorPos.USER32(?), ref: 00919B68
ScreenToClient.USER32(?,?), ref: 00919B75
GetParent.USER32(?), ref: 00919B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00919BFA
SendMessageW.USER32 ref: 00919C2B
ClientToScreen.USER32(?,?), ref: 00919C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00919CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00919CDE
SendMessageW.USER32 ref: 00919D01
ClientToScreen.USER32(?,?), ref: 00919D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00919D82

Part of subcall function 00899944: GetWindowLongW.USER32(?,000000EB), ref: 00899952

GetWindowLongW.USER32(?,000000F0), ref: 00919E05

Strings

F, xrefs: 00919D07
@GUI_DRAGID, xrefs: 0091997D

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 1fcd10ddd6a620430ecc9916e8393bc0e7a42f4dcc845c962393c2ce44dde869
Instruction ID: 6af33ab8280cb012a7903e6ea95f4e9868d17a11f2b66a5de2a28b3c71ec8e9a
Opcode Fuzzy Hash: 1fcd10ddd6a620430ecc9916e8393bc0e7a42f4dcc845c962393c2ce44dde869
Instruction Fuzzy Hash: 6E429F74308205EFD724CF28CC64BEABBE9FF89354F144619F59A872A1D7319890DB51

Function 00914873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009148F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00914908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00914927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0091494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0091495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0091497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009149AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009149D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00914A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00914A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00914A7E
IsMenu.USER32(?), ref: 00914A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00914AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00914B20
GetWindowLongW.USER32(?,000000F0), ref: 00914B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00914BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00914C82
wsprintfW.USER32 ref: 00914CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00914CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00914CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00914D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00914D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00914D5A

Strings

%d/%02d/%02d, xrefs: 00914CA8

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 5231a17895a588206d1ca37868d4ababd213e3df57dd9f0dc66633e5d2698cb1
Instruction ID: 68304dc62648aaca7ce1bff34a5e18e30226a069be42f61265d0c669b9a74230
Opcode Fuzzy Hash: 5231a17895a588206d1ca37868d4ababd213e3df57dd9f0dc66633e5d2698cb1
Instruction Fuzzy Hash: 5C12FC71744218ABEB249F28CC49FEE7BB8EF49710F144129F516EB2E1DB789981CB50

Function 0089F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0089F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008DF474
IsIconic.USER32(00000000), ref: 008DF47D
ShowWindow.USER32(00000000,00000009), ref: 008DF48A
SetForegroundWindow.USER32(00000000), ref: 008DF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008DF4AA
GetCurrentThreadId.KERNEL32 ref: 008DF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008DF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 008DF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 008DF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 008DF4DE
SetForegroundWindow.USER32(00000000), ref: 008DF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 008DF4F6
keybd_event.USER32(00000012,00000000), ref: 008DF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 008DF50B
keybd_event.USER32(00000012,00000000), ref: 008DF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 008DF519
keybd_event.USER32(00000012,00000000), ref: 008DF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 008DF528
keybd_event.USER32(00000012,00000000), ref: 008DF52D
SetForegroundWindow.USER32(00000000), ref: 008DF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 008DF557

Strings

Shell_TrayWnd, xrefs: 008DF46F

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 6324c992390d0608fb4b0145d40ac11e64fd6afb2f29ada5a9c62d465e9cb73a
Instruction ID: a139dea47367c4b1fa3b12578531ccfd47f459f3b1bf2b29271ea92d6bdf4ada
Opcode Fuzzy Hash: 6324c992390d0608fb4b0145d40ac11e64fd6afb2f29ada5a9c62d465e9cb73a
Instruction Fuzzy Hash: 3E313EB1B94218BAEB216BB55C4AFBF7F6DFB44B50F104066FA01E61D1C6B15900FAA0

Function 008E1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008E16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008E170D
Part of subcall function 008E16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008E173A
Part of subcall function 008E16C3: GetLastError.KERNEL32 ref: 008E174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 008E1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008E12A8
CloseHandle.KERNEL32(?), ref: 008E12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008E12D1
GetProcessWindowStation.USER32 ref: 008E12EA
SetProcessWindowStation.USER32(00000000), ref: 008E12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 008E1310

Part of subcall function 008E10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008E11FC), ref: 008E10D4
Part of subcall function 008E10BF: CloseHandle.KERNEL32(?,?,008E11FC), ref: 008E10E9

Strings

winsta0, xrefs: 008E12CC
, xrefs: 008E125A
default, xrefs: 008E130B

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: ee79e02038125a5608d30ada78c3d2032c3d234c9d40718f738685220a114037
Instruction ID: 64913c85b6b3427f26d31d63703cfbd2b8a3e934b342ff1935e0a6cef8ec00cf
Opcode Fuzzy Hash: ee79e02038125a5608d30ada78c3d2032c3d234c9d40718f738685220a114037
Instruction Fuzzy Hash: DF81A2B1A40289AFDF119FA9DC49FEE7BBAFF05704F148119F911E62A0C7708944DB25

Function 008E0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008E10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008E1114
Part of subcall function 008E10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,008E0B9B,?,?,?), ref: 008E1120
Part of subcall function 008E10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008E0B9B,?,?,?), ref: 008E112F
Part of subcall function 008E10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008E0B9B,?,?,?), ref: 008E1136
Part of subcall function 008E10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008E114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008E0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008E0C00
GetLengthSid.ADVAPI32(?), ref: 008E0C17
GetAce.ADVAPI32(?,00000000,?), ref: 008E0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008E0C6D
GetLengthSid.ADVAPI32(?), ref: 008E0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 008E0C8C
HeapAlloc.KERNEL32(00000000), ref: 008E0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008E0CB4
CopySid.ADVAPI32(00000000), ref: 008E0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008E0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008E0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008E0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008E0D45
HeapFree.KERNEL32(00000000), ref: 008E0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008E0D55
HeapFree.KERNEL32(00000000), ref: 008E0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008E0D65
HeapFree.KERNEL32(00000000), ref: 008E0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 008E0D78
HeapFree.KERNEL32(00000000), ref: 008E0D7F

Part of subcall function 008E1193: GetProcessHeap.KERNEL32(00000008,008E0BB1,?,00000000,?,008E0BB1,?), ref: 008E11A1
Part of subcall function 008E1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,008E0BB1,?), ref: 008E11A8
Part of subcall function 008E1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,008E0BB1,?), ref: 008E11B7

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: f3c8cbffba7feb0e871e394f437f3da05db10fe9fcc5b7836396f080120b1183
Instruction ID: 60cb0d49568589157fdf6e828c8b7b31d16d029261214aa4c0772e1e77aedd2b
Opcode Fuzzy Hash: f3c8cbffba7feb0e871e394f437f3da05db10fe9fcc5b7836396f080120b1183
Instruction Fuzzy Hash: 4A719CB1A4424AEBDF10DFA5DC44BEEBBB8FF09300F148A15E914E6190D7B4A945CF60

Function 008FEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0091CC08), ref: 008FEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 008FEB37
GetClipboardData.USER32(0000000D), ref: 008FEB43
CloseClipboard.USER32 ref: 008FEB4F
GlobalLock.KERNEL32(00000000), ref: 008FEB87
CloseClipboard.USER32 ref: 008FEB91
GlobalUnlock.KERNEL32(00000000), ref: 008FEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 008FEBC9
GetClipboardData.USER32(00000001), ref: 008FEBD1
GlobalLock.KERNEL32(00000000), ref: 008FEBE2
GlobalUnlock.KERNEL32(00000000), ref: 008FEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 008FEC38
GetClipboardData.USER32(0000000F), ref: 008FEC44
GlobalLock.KERNEL32(00000000), ref: 008FEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 008FEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 008FEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 008FECD2
GlobalUnlock.KERNEL32(00000000), ref: 008FECF3
CountClipboardFormats.USER32 ref: 008FED14
CloseClipboard.USER32 ref: 008FED59

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 0a58f56ed3eba840ad1c68bb8f07244283471096640c951bd8ce83664365c94f
Instruction ID: a7e39f02000d9df7f29aba5dd83aeddb775986a80c69fd140d6ba2cb725077e8
Opcode Fuzzy Hash: 0a58f56ed3eba840ad1c68bb8f07244283471096640c951bd8ce83664365c94f
Instruction Fuzzy Hash: CE61DC7420820AAFD300EF28C884F7A77A4FF84754F088519F596D72B2DB31E905DB62

Function 008F698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008F69BE
FindClose.KERNEL32(00000000), ref: 008F6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008F6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008F6A75

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 008F6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 008F6ADF

Strings

%02d, xrefs: 008F6C00, 008F6C0A, 008F6C5A, 008F6CAA, 008F6CFA, 008F6D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 008F6B32
%4d%02d%02d%02d%02d%02d, xrefs: 008F6B6A
%4d, xrefs: 008F6BB1
%03d, xrefs: 008F6DA2

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: bd25bb415ae9705bb465217ef3148a044afaf65b2310e3a5a90d8e868269c468
Instruction ID: 60c273012d6f5aa0b2f9a194c6a71dc210cd5c2acb9803b4b736de87fbbdd30e
Opcode Fuzzy Hash: bd25bb415ae9705bb465217ef3148a044afaf65b2310e3a5a90d8e868269c468
Instruction Fuzzy Hash: FAD14BB2508304AAC714EBA8C981EBBB7E8FF98704F44491DF685D6191EB74DA44CB63

Function 008F9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 008F9663
GetFileAttributesW.KERNEL32(?), ref: 008F96A1
SetFileAttributesW.KERNEL32(?,?), ref: 008F96BB
FindNextFileW.KERNEL32(00000000,?), ref: 008F96D3
FindClose.KERNEL32(00000000), ref: 008F96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008F96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 008F974A
SetCurrentDirectoryW.KERNEL32(00946B7C), ref: 008F9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 008F9772
FindClose.KERNEL32(00000000), ref: 008F977F
FindClose.KERNEL32(00000000), ref: 008F978F

Strings

*.*, xrefs: 008F96F5

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 82975adcf59ad7dbf617b487c833b21fa96ee0cc7b12faa279d478a53f74f18f
Instruction ID: 18d791a861ab7f1cbda5de3f2e1f12595a2f2538af285b3f19d38b116788e829
Opcode Fuzzy Hash: 82975adcf59ad7dbf617b487c833b21fa96ee0cc7b12faa279d478a53f74f18f
Instruction Fuzzy Hash: 5A31E2B264421D6BDB10AFB4DC08BEE37ACEF49321F108455FA65E21A0EB34DD80CA10

Function 008F979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 008F97BE
FindNextFileW.KERNEL32(00000000,?), ref: 008F9819
FindClose.KERNEL32(00000000), ref: 008F9824
FindFirstFileW.KERNEL32(*.*,?), ref: 008F9840
SetCurrentDirectoryW.KERNEL32(?), ref: 008F9890
SetCurrentDirectoryW.KERNEL32(00946B7C), ref: 008F98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008F98B8
FindClose.KERNEL32(00000000), ref: 008F98C5
FindClose.KERNEL32(00000000), ref: 008F98D5

Part of subcall function 008EDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008EDB00

Strings

*.*, xrefs: 008F983B

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 79feca6af464418a11f6e4af8051096e6b1d3b326f3d54fcc85cf94fbe91842e
Instruction ID: 0b205435426a79d0764a869ed7e7756e7b197f37e8e77d3c95d3712e9d9b2610
Opcode Fuzzy Hash: 79feca6af464418a11f6e4af8051096e6b1d3b326f3d54fcc85cf94fbe91842e
Instruction Fuzzy Hash: 7231F47165421D6AEB10EFB4DC48BEE37ACFF46364F108165F9A0E2190DB30DE85CA61

Function 0090BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0090C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0090B6AE,?,?), ref: 0090C9B5
Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090C9F1
Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090CA68
Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0090BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0090BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0090BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0090C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0090C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0090C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0090C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0090C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0090C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0090C382
RegCloseKey.ADVAPI32(00000000), ref: 0090C38F

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 2262ea244c0d6f6afaa365ad2f1a88eacc9ff1bb612cb898d1546a1118c82552
Instruction ID: 954d543c71fe80acf8f32543880ff52e6e4db6b7705ac86d6e3b97cd3f4543c3
Opcode Fuzzy Hash: 2262ea244c0d6f6afaa365ad2f1a88eacc9ff1bb612cb898d1546a1118c82552
Instruction Fuzzy Hash: C5023CB16042009FD714DF28C895E2ABBE9FF49314F18859DF84ADB2A2D731ED45CB52

Function 008F8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 008F8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 008F8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008F8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008F8310
SetCurrentDirectoryW.KERNEL32(?), ref: 008F8324
SetCurrentDirectoryW.KERNEL32(?), ref: 008F8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008F838C
SetCurrentDirectoryW.KERNEL32(?), ref: 008F8395

Strings

*.*, xrefs: 008F839B

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 6e83209ebea91c40ed1d76cc57842df4d5863f18b253ffa146ef19bc64f9f6f9
Instruction ID: b160214f34cbf1d65fdd21c1020961b4f373835d5a3b51d423d9005ec74121b8
Opcode Fuzzy Hash: 6e83209ebea91c40ed1d76cc57842df4d5863f18b253ffa146ef19bc64f9f6f9
Instruction Fuzzy Hash: 5A615BB26083499FDB10EF64C8409AEB3E8FF89314F04891DFA99D7251DB31E945CB92

Function 008ED076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00883AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00883A97,?,?,00882E7F,?,?,?,00000000), ref: 00883AC2

Part of subcall function 008EE199: GetFileAttributesW.KERNEL32(?,008ECF95), ref: 008EE19A

FindFirstFileW.KERNEL32(?,?), ref: 008ED122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 008ED1DD
MoveFileW.KERNEL32(?,?), ref: 008ED1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 008ED20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 008ED237

Part of subcall function 008ED29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,008ED21C,?,?), ref: 008ED2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 008ED253
FindClose.KERNEL32(00000000), ref: 008ED264

Strings

\*.*, xrefs: 008ED0CD, 008ED0D6, 008ED0EB

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 8fb369a4f1aaaa7c8f2f2e24577fde7564288ef14299312466d3d79049cc6939
Instruction ID: 20c1bfdc1cba87fb61e1c9f941634c3c1889857b7b9b230025286875767abfe6
Opcode Fuzzy Hash: 8fb369a4f1aaaa7c8f2f2e24577fde7564288ef14299312466d3d79049cc6939
Instruction Fuzzy Hash: 4A61593180524D9ACF15EBE5CA529FDB775FF16300F244065E412B7191EB31AF09DB62

Function 008FED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 008FED91
EmptyClipboard.USER32 ref: 008FED97
GlobalAlloc.KERNEL32(00000002,?), ref: 008FEDAC
CloseClipboard.USER32 ref: 008FEEA3

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 73db83fbd65abaa27cebc42676a7e257ea8ffdd1f01954076c7f119c3c079884
Instruction ID: af93cf1f03a801063145a60ec959eef69a642268f5d98cfb6a9bad46fb7b29b8
Opcode Fuzzy Hash: 73db83fbd65abaa27cebc42676a7e257ea8ffdd1f01954076c7f119c3c079884
Instruction Fuzzy Hash: EB41CE71208215AFE320DF29E888B69BBE1FF44358F14C499E565CBA72C775EC41CB90

Function 008EE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008E16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008E170D
Part of subcall function 008E16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008E173A
Part of subcall function 008E16C3: GetLastError.KERNEL32 ref: 008E174A

ExitWindowsEx.USER32(?,00000000), ref: 008EE932

Strings

@, xrefs: 008EE925
SeShutdownPrivilege, xrefs: 008EE902
, xrefs: 008EE920
, xrefs: 008EE95C

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 732711eb6f99e447d2ec0aab9e9e4e79d20bbb281f79ec81ec54b5fc715b42ba
Instruction ID: f054dae0e090a0fa15572ed0f993aa17d5b23b9a21798aba15667a8f39df4217
Opcode Fuzzy Hash: 732711eb6f99e447d2ec0aab9e9e4e79d20bbb281f79ec81ec54b5fc715b42ba
Instruction Fuzzy Hash: 530126B2B20255ABEB1476BA9C8AFFB769CF716744F144821F812E31D3E6B09C4481A0

Function 00901204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00901276
WSAGetLastError.WSOCK32 ref: 00901283
bind.WSOCK32(00000000,?,00000010), ref: 009012BA
WSAGetLastError.WSOCK32 ref: 009012C5
closesocket.WSOCK32(00000000), ref: 009012F4
listen.WSOCK32(00000000,00000005), ref: 00901303
WSAGetLastError.WSOCK32 ref: 0090130D
closesocket.WSOCK32(00000000), ref: 0090133C

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 3c3a611e46f606a064392319ee6991eece25ebf6d4c8416fd13783bc6ed233f4
Instruction ID: 8d20a75e795c19abaac7af6163a37fd8281ec501a3170234f64359b78703b00c
Opcode Fuzzy Hash: 3c3a611e46f606a064392319ee6991eece25ebf6d4c8416fd13783bc6ed233f4
Instruction Fuzzy Hash: 7E4160716001009FD710DF68D589B69BBE5BF86318F188198E8669F2D6C771ED81CBE1

Function 008ED3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00883AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00883A97,?,?,00882E7F,?,?,?,00000000), ref: 00883AC2

Part of subcall function 008EE199: GetFileAttributesW.KERNEL32(?,008ECF95), ref: 008EE19A

FindFirstFileW.KERNEL32(?,?), ref: 008ED420
DeleteFileW.KERNEL32(?,?,?,?), ref: 008ED470
FindNextFileW.KERNEL32(00000000,00000010), ref: 008ED481
FindClose.KERNEL32(00000000), ref: 008ED498
FindClose.KERNEL32(00000000), ref: 008ED4A1

Strings

\*.*, xrefs: 008ED3F2

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 70d8282767079a5b56d073024407a1f9d6032be184e2c527988275b5159db141
Instruction ID: 825b39cb915b80163f80f1a4e10fe17f552184d9bbde39d044c9276ffcadbd20
Opcode Fuzzy Hash: 70d8282767079a5b56d073024407a1f9d6032be184e2c527988275b5159db141
Instruction Fuzzy Hash: C4313C7101C3859BC215FF68D8918AFB7A8FEA6314F444A2DF4E1D2191EB30EA09D767

Function 008BE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 008BE645

Strings

1#SNAN, xrefs: 008BF844
1#IND, xrefs: 008BF83D
1#INF, xrefs: 008BF852
1#QNAN, xrefs: 008BF84B

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c1c9f0bf885baea69cb69417e537cecb26468f1de3714a0f7ffabe954b1792cc
Instruction ID: 5673ceeac643cd62dcf347b7b14fd41087ba91241830006a15ea072f75a42674
Opcode Fuzzy Hash: c1c9f0bf885baea69cb69417e537cecb26468f1de3714a0f7ffabe954b1792cc
Instruction Fuzzy Hash: 3AC22771E086298FDB25CE289D407EAB7B5FB49305F1441EAD94DE7341E774AE818F40

Function 008F648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008F64DC
CoInitialize.OLE32(00000000), ref: 008F6639
CoCreateInstance.OLE32(0091FCF8,00000000,00000001,0091FB68,?), ref: 008F6650
CoUninitialize.OLE32 ref: 008F68D4

Strings

.lnk, xrefs: 008F64BA, 008F6524, 008F65E0

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 01f50c09e0eeac2446bcf318b4ae4dcca28f7d312f8678bdac1fb5d27cc5532a
Instruction ID: dfbcee3c85fc893d195865354172743578ad73592f2f9f683397a9497a830a35
Opcode Fuzzy Hash: 01f50c09e0eeac2446bcf318b4ae4dcca28f7d312f8678bdac1fb5d27cc5532a
Instruction Fuzzy Hash: D4D15971508205AFD314EF28C881D6BB7E9FF98304F14496DF695DB291EB70E905CBA2

Function 009022DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 009022E8

Part of subcall function 008FE4EC: GetWindowRect.USER32(?,?), ref: 008FE504

GetDesktopWindow.USER32 ref: 00902312
GetWindowRect.USER32(00000000), ref: 00902319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00902355
GetCursorPos.USER32(?), ref: 00902381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009023DF

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: b376302ef7750d12e7ffdf053e66f46af5b3fd72280a74e322fde57c60f0d254
Instruction ID: 378b4bef3b8b820247849918de78c8e22ec02889adc134c9d517f096f9d152a9
Opcode Fuzzy Hash: b376302ef7750d12e7ffdf053e66f46af5b3fd72280a74e322fde57c60f0d254
Instruction Fuzzy Hash: 1431DE72608315AFC720DF14C849B9BBBAAFF84710F004919F985D7191DB34EA08CB92

Function 008F9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 008F9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 008F9C8B

Part of subcall function 008F3874: GetInputState.USER32 ref: 008F38CB
Part of subcall function 008F3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008F3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 008F9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 008F9C75

Strings

*.*, xrefs: 008F9B5D

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 940f9642f4563983c09a9589a6566691f05117a2f716bce8972f0a77e84c2d61
Instruction ID: 71301c7fba0154c18ed4506a49b01fd663ee3d4d439df8a5cf46d74a932c92e2
Opcode Fuzzy Hash: 940f9642f4563983c09a9589a6566691f05117a2f716bce8972f0a77e84c2d61
Instruction Fuzzy Hash: D5414B7194420EABDF14EF68C885BEEBBB8FF05310F244056E955E2191EB309E84CF61

Function 0089997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00899A4E
GetSysColor.USER32(0000000F), ref: 00899B23
SetBkColor.GDI32(?,00000000), ref: 00899B36

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 77bf090d52f2a88d2b74549b6cdb92ae5697bd6c0a865e2dbf42afcdb391c103
Instruction ID: 912af0bee888ea9bfc7087720217f05730e65921aa7fbdea5999536e7b990c89
Opcode Fuzzy Hash: 77bf090d52f2a88d2b74549b6cdb92ae5697bd6c0a865e2dbf42afcdb391c103
Instruction Fuzzy Hash: 8DA10970208528BFEF24BA2D9C59FBB27DDFB86314B18420EF542C6AD1DA259D41D372

Function 00901806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0090304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0090307A
Part of subcall function 0090304E: _wcslen.LIBCMT ref: 0090309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0090185D
WSAGetLastError.WSOCK32 ref: 00901884
bind.WSOCK32(00000000,?,00000010), ref: 009018DB
WSAGetLastError.WSOCK32 ref: 009018E6
closesocket.WSOCK32(00000000), ref: 00901915

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: a8d5dee6439b25f638270e5d01ad7e64aca44397bbbbe86079bca6b0e5319a2e
Instruction ID: d8b92d188c5fcab8f6a1ede6a50366ee316ca57c777a24db298f052a9bf7eef2
Opcode Fuzzy Hash: a8d5dee6439b25f638270e5d01ad7e64aca44397bbbbe86079bca6b0e5319a2e
Instruction Fuzzy Hash: E0518375A002109FEB10AF28D886F6A77E5EB44718F18C498FA159F3D3D771AD41CBA2

Function 00911C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00911CC0
IsWindowEnabled.USER32 ref: 00911CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00911CDB
IsIconic.USER32 ref: 00911CE9
IsZoomed.USER32 ref: 00911CF7

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: d41449286ec21996561c9951f60e6ac60bab1ef70396258d1474a3d5a61c3b9e
Instruction ID: 7969e120423c8f270ecedb3b43bc1abc04180ad4294f23c285eec03b6ccc1559
Opcode Fuzzy Hash: d41449286ec21996561c9951f60e6ac60bab1ef70396258d1474a3d5a61c3b9e
Instruction Fuzzy Hash: E821B7717842156FE7209F1AD844B9A7BE9FF85354F198058E986CB391CB71EC82CBD0

Function 00888060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0088813C
VUUU, xrefs: 008C5DF0
VUUU, xrefs: 0088843C
VUUU, xrefs: 008883FA
VUUU, xrefs: 008883E8

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 2bc87d473b384b6abaf04faa34addcb2b503edfa11d93c17595da0e5d0023291
Instruction ID: fa58c12b16581bb4d026fc6366f07e4b0d3f2e15b41dabfdbb2d70ad76fe743b
Opcode Fuzzy Hash: 2bc87d473b384b6abaf04faa34addcb2b503edfa11d93c17595da0e5d0023291
Instruction Fuzzy Hash: DAA27C71A0061ACBDF24DF58C944BAEB7B1FF54314F6481AAE815E7285EB30ED91CB90

Function 008EAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 008EAAAC
SetKeyboardState.USER32(00000080), ref: 008EAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 008EAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 008EAB88

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ccff7d4544369880c4629a971e4946018ddd729397de361d74689278f5e95a31
Instruction ID: 278406e7893e7e0d91e283e4a86d1471c7c7f712af5f332d0c5403e8f6d665d2
Opcode Fuzzy Hash: ccff7d4544369880c4629a971e4946018ddd729397de361d74689278f5e95a31
Instruction Fuzzy Hash: A4312C70A40388AEFB388A66CC05BFA77A6FB96B30F04421AF181D61D0D375A985D753

Function 008BBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008BBB7F

Part of subcall function 008B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000), ref: 008B29DE
Part of subcall function 008B29C8: GetLastError.KERNEL32(00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000,00000000), ref: 008B29F0

GetTimeZoneInformation.KERNEL32 ref: 008BBB91
WideCharToMultiByte.KERNEL32(00000000,?,0095121C,000000FF,?,0000003F,?,?), ref: 008BBC09
WideCharToMultiByte.KERNEL32(00000000,?,00951270,000000FF,?,0000003F,?,?,?,0095121C,000000FF,?,0000003F,?,?), ref: 008BBC36

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 5333635194feace1db42eba5aba829cbb110d0f61ea360a86c8047feca279e94
Instruction ID: e68687e29805d01ebbd92b516feba3d5f60d9a91ba95d62a90990afe2ad92f4f
Opcode Fuzzy Hash: 5333635194feace1db42eba5aba829cbb110d0f61ea360a86c8047feca279e94
Instruction Fuzzy Hash: 0531CF70948205EFCB14DF6ACC90AAEBBB8FF45320B1446AAE060DB3A1D7709E40DB50

Function 008FCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 008FCE89
GetLastError.KERNEL32(?,00000000), ref: 008FCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 008FCEFE

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 298b1b18e8023262e11eac556cad869c290aa99a7d2505d844be39fceebcd854
Instruction ID: ba11365ed9d3c53c68cdf53d6e4bbc2747b2961116ba1bc2189d1ce2c9574e19
Opcode Fuzzy Hash: 298b1b18e8023262e11eac556cad869c290aa99a7d2505d844be39fceebcd854
Instruction Fuzzy Hash: C621ACB164430D9BEB20CF65CA48BA6B7F8FB50318F10881AE646D2151EB70EA04DB60

Function 008E8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008E82AA

Strings

(, xrefs: 008E82F0
|, xrefs: 008E82DA

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 684f6e36354c4a5ebdb8b8cfbbda09f65049f72d953a0b534d5d3e65b7ac3f96
Instruction ID: ff34cb07ca729c7ef2a905007d7c445628a756ae743506629372027b4af71f9e
Opcode Fuzzy Hash: 684f6e36354c4a5ebdb8b8cfbbda09f65049f72d953a0b534d5d3e65b7ac3f96
Instruction Fuzzy Hash: 75322474A04745DFCB28CF5AC481A6AB7F0FF48710B15856EE99ADB3A1EB70E941CB40

Function 008F5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008F5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 008F5D17
FindClose.KERNEL32(?), ref: 008F5D5F

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 0f009bd254908ec02509690103f59b1c23971ef498b813ac8539fc08ab8cc017
Instruction ID: a4fedb577c48fddcadf37f47f3e45fb057adfca176d94e848d49b1119f56b7c6
Opcode Fuzzy Hash: 0f009bd254908ec02509690103f59b1c23971ef498b813ac8539fc08ab8cc017
Instruction Fuzzy Hash: EF51CC746046059FD704EF28C484EA6B7E4FF4A318F14856DEA6ACB3A1DB30ED00CB92

Function 008B2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 008B271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 008B2724
UnhandledExceptionFilter.KERNEL32(?), ref: 008B2731

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d4a862007036ba0a6f159767e2b595190ecca0a23a08d90a7318301cc69d1a8f
Instruction ID: 44231a2bfe11b946816d2e278db934ac370e391a6a93a1d8ce479c88b9745374
Opcode Fuzzy Hash: d4a862007036ba0a6f159767e2b595190ecca0a23a08d90a7318301cc69d1a8f
Instruction Fuzzy Hash: 1D31C4749512289BCB21DF68DC88BD8B7B8FF08310F5041EAE41CA6260EB309F818F45

Function 008F51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008F51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 008F5238
SetErrorMode.KERNEL32(00000000), ref: 008F52A1

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: f83596a73ca3e7a81c6e846b6642880149ac1146ee8a5cf3125859724f0195c8
Instruction ID: f5343837c285f699ff6ec1a555f1ede48c0f5298cf37dba3c1f2e411929d7365
Opcode Fuzzy Hash: f83596a73ca3e7a81c6e846b6642880149ac1146ee8a5cf3125859724f0195c8
Instruction Fuzzy Hash: 92318F75A00508DFDB00DF64D884EADBBB4FF09318F088099E905EB362DB31E845CBA1

Function 008E16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0089FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 008A0668
Part of subcall function 0089FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 008A0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008E170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008E173A
GetLastError.KERNEL32 ref: 008E174A

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 32efb02eb0e0ca1870310dab11982ad6c2f6dc081aa07903cf52d6ebf12bde59
Instruction ID: e40223511f25e5f40bbddb82035b874657175aef7549b4d9ab886e11d48fe063
Opcode Fuzzy Hash: 32efb02eb0e0ca1870310dab11982ad6c2f6dc081aa07903cf52d6ebf12bde59
Instruction Fuzzy Hash: A811C1B2514308AFDB18AF54DC8ADAAB7F9FB05714B24C52EE05697641EB70BC41CA20

Function 008ED5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008ED608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 008ED645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008ED650

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: e920505067e59bfd99778733b450b23b9b1ee960329189829c8975a2b532defb
Instruction ID: 490af4e8c68456b9033636d2d52b0bfb96cf90a4281d781622f44f9ee649c1f9
Opcode Fuzzy Hash: e920505067e59bfd99778733b450b23b9b1ee960329189829c8975a2b532defb
Instruction Fuzzy Hash: 25117CB1E45228BBDB108F959C44FEFBBBCEB45B50F108111F924E7290C2704A058BE1

Function 008E1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 008E168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008E16A1
FreeSid.ADVAPI32(?), ref: 008E16B1

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a5c5bdfe66946985e0f280c1a2872c9cd1151d7ee829eed423e215df733d5b83
Instruction ID: aa4c5b3b46f3830d75c287641ced63e6ffb850eeaec2ad30b209f7bc22a3986c
Opcode Fuzzy Hash: a5c5bdfe66946985e0f280c1a2872c9cd1151d7ee829eed423e215df733d5b83
Instruction Fuzzy Hash: 3EF0F4B1A90309FBDF00DFE49C89EAEBBBCFB08604F508565E501E2191E774AA449A50

Function 008DD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 008DD28C

Strings

X64, xrefs: 008DD2A8

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 5dee592191d317b77f2b31bbf99cf381c99b4381dfbe6afbc52007109d0b2164
Instruction ID: 40330c672fad80cbfe8036401ead0e2761d6662adafe0a0c7218ac6837448000
Opcode Fuzzy Hash: 5dee592191d317b77f2b31bbf99cf381c99b4381dfbe6afbc52007109d0b2164
Instruction Fuzzy Hash: 52D0CAB581522DEACF94DBA0EC88DDAB3BCFB08349F104292F146E2100DB30A6489F20

Function 008ACAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 0ce93bf9f9326e47cdd5d501d520aa076e36fa06db0e224c3193bb396b89134e
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 5E020B71E002199FEF14CFA9C8806ADFBF1FF49324F25816AD919E7784D731AA418B94

Function 008F68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008F6918
FindClose.KERNEL32(00000000), ref: 008F6961

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 33552a6494b25664e1972781980d41f5f84bcebbd8c768d4624bc2e681626c68
Instruction ID: 08176e3aeac320c28ae5700d1734252601c28fe4277d4e21a2804d5ad28d1d00
Opcode Fuzzy Hash: 33552a6494b25664e1972781980d41f5f84bcebbd8c768d4624bc2e681626c68
Instruction Fuzzy Hash: E811D0716142049FD710DF29D484A26BBE0FF84328F14C699E569CF2A2DB70EC05CB91

Function 008F37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00904891,?,?,00000035,?), ref: 008F37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00904891,?,?,00000035,?), ref: 008F37F4

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 4ae6b77e2b0ad850fca362f627f20dca5958ab5192bbd4ad4aa2a9d6a74e20a9
Instruction ID: 3e52171aadedbe7ff31ea2f9815e941a66e6157a6e239e9c68c4cd21adac96c4
Opcode Fuzzy Hash: 4ae6b77e2b0ad850fca362f627f20dca5958ab5192bbd4ad4aa2a9d6a74e20a9
Instruction Fuzzy Hash: D3F0ECB07042192AD71027755C4DFEB36AEFFC5761F000175F505D2281D9709944C7B1

Function 008EB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 008EB25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 008EB270

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: ee7dd6bf1d6b6ba94a72473cc98a9dc494f0d887aeaeb1cd915c3b0d3a525ad3
Instruction ID: 569c15071ecd1d9347f130281b0facfc032733cd5f6ddf3cfda38d472d88dc6f
Opcode Fuzzy Hash: ee7dd6bf1d6b6ba94a72473cc98a9dc494f0d887aeaeb1cd915c3b0d3a525ad3
Instruction Fuzzy Hash: F0F01D7195428DABDB059FA1C805BEE7BB4FF05309F008009F965A6191C3799611DF94

Function 008E10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008E11FC), ref: 008E10D4
CloseHandle.KERNEL32(?,?,008E11FC), ref: 008E10E9

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 1ff9f840a8477f3fb300459fecf4ea6b667bc15fbdb596638fb6e1dcf4bb7bb5
Instruction ID: 176654d3e38cd87add79cb42f04e44adf7559913205126db5e37f16a0799ace8
Opcode Fuzzy Hash: 1ff9f840a8477f3fb300459fecf4ea6b667bc15fbdb596638fb6e1dcf4bb7bb5
Instruction Fuzzy Hash: A2E0BF72158610AFEB292B55FC09EB777A9FB05310B24C82DF5A5C44B1DB626C90EB50

Function 0088CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 008D0C40

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: c93d00910131a21440235ad8f7aac12482a29d35ffda5ed530cfde5a8303db4a
Instruction ID: df42a9fdfd91e18184f47fafb062832774c0b6fab6c4ecdf20cb791fa0764b5d
Opcode Fuzzy Hash: c93d00910131a21440235ad8f7aac12482a29d35ffda5ed530cfde5a8303db4a
Instruction Fuzzy Hash: A3329870900218DBDF14EF94D980BEDB7B5FF05308F24816AE806EB286DB75AE45CB61

Function 008B676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008B6766,?,?,00000008,?,?,008BFEFE,00000000), ref: 008B6998

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6f9f692a591161575231d6b4686b013a9685251cbfe8dc9ba5e393555173a5b9
Instruction ID: bba63be7f02e12d711eb785fab31920bef63e0d98fb95b8969edf07c0f693e64
Opcode Fuzzy Hash: 6f9f692a591161575231d6b4686b013a9685251cbfe8dc9ba5e393555173a5b9
Instruction Fuzzy Hash: 57B16E31610609DFDB15CF28C486BA57BE0FF05364F298658E899CF3A2D739E9A1CB40

Function 0089B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 008D851F

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 174ac041882e20815f27587a9a3b7bd805a681b4773ffdd73019ff9f5ce14abc
Instruction ID: 1e9c95263d394f490fdd16ae68b527e7c296a8f11264d94a6170fb03d07ffab9
Opcode Fuzzy Hash: 174ac041882e20815f27587a9a3b7bd805a681b4773ffdd73019ff9f5ce14abc
Instruction Fuzzy Hash: BE125C71A00229DBCF24DF58D9816EEB7B5FF48710F1481AAE849EB351DB309A81DF94

Function 008FEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 008FEABD

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 7f7e9a44a8cce97f7e32a6c2d0ac4abda30a298587a432ec26ce5eabad212a15
Instruction ID: 49a23df17d3d323da0424709288e838f75ee04c0f3faf8baddf07c96fb18bea3
Opcode Fuzzy Hash: 7f7e9a44a8cce97f7e32a6c2d0ac4abda30a298587a432ec26ce5eabad212a15
Instruction Fuzzy Hash: F0E01A712102189FD710EF69D804E9ABBE9FFA8764F008416FD49C7261DAB0A8408BA1

Function 008A09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008A03EE), ref: 008A09DA

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b9cb87468f80ffd98bdea4ceaa14172e8ea88953198c333f633ef5cf546fba6f
Instruction ID: 7b4cbc3b75499490a1633b5e314d2856eb6201e57fd573c8ba96f1a12b8889ba
Opcode Fuzzy Hash: b9cb87468f80ffd98bdea4ceaa14172e8ea88953198c333f633ef5cf546fba6f
Instruction Fuzzy Hash:

Function 008A781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 008A798B

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 81c3914124f3689a1cd5c961231cf76d52588c0120a76c7cd5753cf3bccd0432
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 7C51466160C6499AFB3845288C597BF2B89FB13344F1C053AD886D7E82D61DEE05F35A

Function 008B6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad6e06dad22bc8433dbde365ef9fbb82652a5d13982100ba1e57c9d26e55c89
Instruction ID: 362aae3a1b1e9d3a883b259925498dac4aca68c145e5b5034025058896c4b0cd
Opcode Fuzzy Hash: 1ad6e06dad22bc8433dbde365ef9fbb82652a5d13982100ba1e57c9d26e55c89
Instruction Fuzzy Hash: A032F022D2DF414DD7339634D822336A689EFB73C5F15D737E82AB5AA9EB29C4835100

Function 0089CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f43b193208dbb2f2474ea7edbe8feeff20be08bb5a8476204d5651af5e112c1c
Instruction ID: e9b2ee5668a253a807393cd0971e09b3956184bc3b79e79b9834254ae3aa0bf3
Opcode Fuzzy Hash: f43b193208dbb2f2474ea7edbe8feeff20be08bb5a8476204d5651af5e112c1c
Instruction Fuzzy Hash: EC322531A4411B8BDF28CF69C890A7D7BA1FF45318F28866BD84ACB391D631DD81DB40

Function 00887920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def8296e61536757ea058269f8da723ebf4076d5e124b8e8bd4e7c267e99e7e7
Instruction ID: 24d211e9db6e18f09b2dd74599abcf8173b50558574433e4527a974e45ead8b2
Opcode Fuzzy Hash: def8296e61536757ea058269f8da723ebf4076d5e124b8e8bd4e7c267e99e7e7
Instruction Fuzzy Hash: 6422BFB0A046099FDF14DFA8C881BAEB7B6FF44314F244529E816EB291EB35E950CB51

Function 008891C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e2c8585f5ab0b312da43860fb5385ba1a1da4b90a182566dcdf98532dece23
Instruction ID: 14ab3ff0acb6b9947687cc10bfd00a6475adf30c0ada9dd5a07d66269539089a
Opcode Fuzzy Hash: 56e2c8585f5ab0b312da43860fb5385ba1a1da4b90a182566dcdf98532dece23
Instruction Fuzzy Hash: B902A5B0A10119EFDF04EF58D841BADB7B1FF54304F548169E956DB291EB31EA10CB91

Function 008B9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d14bee329315b290757800c0594798db7f75b41d50965c0688133e23fc6ca4
Instruction ID: 8fd03b842b9ad982489efbe49d506dfdf834f4bc09280fe56f561bc4ae32109d
Opcode Fuzzy Hash: 78d14bee329315b290757800c0594798db7f75b41d50965c0688133e23fc6ca4
Instruction Fuzzy Hash: 1FB1F120D3AF414DD32396398831336B69CAFBB6D5F91D71BFC2674E22EB2686835140

Function 008A1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: ae5962273a0b904434c067ec9ceb4b065f4128a0ba1b0b764cf78f2123346ec3
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: CD9157726080A34AFF294639857C07EFFE1EA533B1B1A079DD4F2CA9C5FE149964D620

Function 008A1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 71e8acfdb608e176b9b3822a18ded17a30345008fc34ac59e229be54f73905d3
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 7C9154722090E34DFB79423D857843EFFE1EA933A171A079DE4F2CA9C5EE249554E620

Function 008A19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 30fe702218617d97083cfcde397077e1a2001302d1b723af58e8192ca0187390
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 779141722090B24AFF69427A857C03EFEE1AA933B1B1A079DD4F2CA9C1FD249555D620

Function 008A7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7892532af15caca31ef041a54b4f83b39d001fd6d73e952c4be8b5deccec73
Instruction ID: de5be2a59c1193cdf95df14f9578d2665eedb9de94734de4bf3df0e255af5de2
Opcode Fuzzy Hash: 1a7892532af15caca31ef041a54b4f83b39d001fd6d73e952c4be8b5deccec73
Instruction Fuzzy Hash: 1C6179B1208719A6FB349A2C8C95BBF2394FF43364F140919E942DBE81D611AE43F376

Function 008A7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9685fdeda11f3aef6026e587c2618ace5c8137fea7f7f310603652035fefaa5e
Instruction ID: db08d3dc2dc4613a323ae0bcba98ca490c9e980cea595eea1157f37dd1b81a46
Opcode Fuzzy Hash: 9685fdeda11f3aef6026e587c2618ace5c8137fea7f7f310603652035fefaa5e
Instruction Fuzzy Hash: 3C618A7160870996FF384A2C4C65BBF2384FF43B04F140959E943CBE89EA56AD42B366

Function 008A1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 85791e1b5ef6e88849410596f321b1903b709e447f435c18460483bc379b696a
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E58153726090A309FF6D4239857843EFFE1FA933A1B1E17ADD4F2CA9C5EE148554D620

Function 008F2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3693c815779cec3a33c8d6278170fe4fdc6740a9881a085fa94f623fabe5e20
Instruction ID: fc54de8ef03b78f3b3e8c164f270985dc5d4efe624fe4e53b6df95d29f729943
Opcode Fuzzy Hash: f3693c815779cec3a33c8d6278170fe4fdc6740a9881a085fa94f623fabe5e20
Instruction Fuzzy Hash: FF21A8326216158BDB28CF79C81267A73E5F7A4310F15862EE4A7C37D0DE35A904DB40

Function 00902ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00902B30
DeleteObject.GDI32(00000000), ref: 00902B43
DestroyWindow.USER32 ref: 00902B52
GetDesktopWindow.USER32 ref: 00902B6D
GetWindowRect.USER32(00000000), ref: 00902B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00902CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00902CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00902CF8
GetClientRect.USER32(00000000,?), ref: 00902D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00902D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00902D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00902D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00902D80
GlobalLock.KERNEL32(00000000), ref: 00902D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00902D98
GlobalUnlock.KERNEL32(00000000), ref: 00902DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00902DA8
GlobalFree.KERNEL32(00000000), ref: 00902DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00902DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0091FC38,00000000), ref: 00902DDB
GlobalFree.KERNEL32(00000000), ref: 00902DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00902E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00902E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00902E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0090303F

Strings

AutoIt v3, xrefs: 00902CF2
DISPLAY, xrefs: 00902EA2
, xrefs: 00902FC5
static, xrefs: 00902D3A, 00902E91

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 56627ab82b6e6682045d3bad4bb01a1ec704fed04b27aa16696485bf4e7b98e9
Instruction ID: 3a92252f3d114f5c7247408f115c7660afd44d09157ca8f07a364ba2acdeaf20
Opcode Fuzzy Hash: 56627ab82b6e6682045d3bad4bb01a1ec704fed04b27aa16696485bf4e7b98e9
Instruction Fuzzy Hash: B9028DB1610215AFDB14DF68CC89EAE7BB9FF49711F108558F915AB2A1C770ED00DB60

Function 009170D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0091712F
GetSysColorBrush.USER32(0000000F), ref: 00917160
GetSysColor.USER32(0000000F), ref: 0091716C
SetBkColor.GDI32(?,000000FF), ref: 00917186
SelectObject.GDI32(?,?), ref: 00917195
InflateRect.USER32(?,000000FF,000000FF), ref: 009171C0
GetSysColor.USER32(00000010), ref: 009171C8
CreateSolidBrush.GDI32(00000000), ref: 009171CF
FrameRect.USER32(?,?,00000000), ref: 009171DE
DeleteObject.GDI32(00000000), ref: 009171E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00917230
FillRect.USER32(?,?,?), ref: 00917262
GetWindowLongW.USER32(?,000000F0), ref: 00917284

Part of subcall function 009173E8: GetSysColor.USER32(00000012), ref: 00917421
Part of subcall function 009173E8: SetTextColor.GDI32(?,?), ref: 00917425
Part of subcall function 009173E8: GetSysColorBrush.USER32(0000000F), ref: 0091743B
Part of subcall function 009173E8: GetSysColor.USER32(0000000F), ref: 00917446
Part of subcall function 009173E8: GetSysColor.USER32(00000011), ref: 00917463
Part of subcall function 009173E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00917471
Part of subcall function 009173E8: SelectObject.GDI32(?,00000000), ref: 00917482
Part of subcall function 009173E8: SetBkColor.GDI32(?,00000000), ref: 0091748B
Part of subcall function 009173E8: SelectObject.GDI32(?,?), ref: 00917498
Part of subcall function 009173E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009174B7
Part of subcall function 009173E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009174CE
Part of subcall function 009173E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009174DB

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 2fa0ff887a04f5ef9fdd7b03c3efcc043acd94b45645cbaaa5a31abbe1bc2a65
Instruction ID: c62c3c4f4660d8021658ceeb6f693491c985f686c2d7210ea60af0ff29e98433
Opcode Fuzzy Hash: 2fa0ff887a04f5ef9fdd7b03c3efcc043acd94b45645cbaaa5a31abbe1bc2a65
Instruction Fuzzy Hash: A7A1C1B225C306FFDB019FA0DC48A9BBBB9FB49320F104A19F962961E1D734E941DB51

Function 00898D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00898E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 008D6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 008D6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 008D6F43

Part of subcall function 00898F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00898BE8,?,00000000,?,?,?,?,00898BBA,00000000,?), ref: 00898FC5

SendMessageW.USER32(?,00001053), ref: 008D6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 008D6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 008D6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 008D6FB7

Strings

0, xrefs: 008D6DCF

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: cb6233843b5290e7075a1af595a6421878fb1bc14610ede1c97c9851d3d4d523
Instruction ID: f78f293986139fc5d130a5b689efd3b2d2d8ceb1c0ee4ade92f5a98ce9ed2438
Opcode Fuzzy Hash: cb6233843b5290e7075a1af595a6421878fb1bc14610ede1c97c9851d3d4d523
Instruction Fuzzy Hash: E712DE7020420ADFCB25DF28D864BA9B7E1FF45314F18866AF495CB261DB31EC61DB91

Function 00902711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0090273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0090286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009028A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009028B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00902900
GetClientRect.USER32(00000000,?), ref: 0090290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00902955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00902964
GetStockObject.GDI32(00000011), ref: 00902974
SelectObject.GDI32(00000000,00000000), ref: 00902978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00902988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00902991
DeleteDC.GDI32(00000000), ref: 0090299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009029C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 009029DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00902A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00902A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00902A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00902A77
GetStockObject.GDI32(00000011), ref: 00902A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00902A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00902A97

Strings

AutoIt v3, xrefs: 009028F8
DISPLAY, xrefs: 0090295A
msctls_progress32, xrefs: 00902A13
static, xrefs: 0090294F, 00902A71

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: af012465f559e61742fb4ec61359662c55356d68be8df4bd4495d80c5a6953f6
Instruction ID: 8b1c2195710239746f376810750c46dca1ae11c85ceda8475a8c23198c0c83ac
Opcode Fuzzy Hash: af012465f559e61742fb4ec61359662c55356d68be8df4bd4495d80c5a6953f6
Instruction Fuzzy Hash: 1DB149B1A50215AFEB14DFA8CC89FAE7BA9FB48711F108114F914E72D0D770AD40CBA0

Function 008F4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008F4AED
GetDriveTypeW.KERNEL32(?,0091CB68,?,\\.\,0091CC08), ref: 008F4BCA
SetErrorMode.KERNEL32(00000000,0091CB68,?,\\.\,0091CC08), ref: 008F4D36

Strings

\\.\, xrefs: 008F4B3F
iSCSI, xrefs: 008F4CC2
SATA, xrefs: 008F4CD0
Network, xrefs: 008F4C02
RAID, xrefs: 008F4CBB
Virtual, xrefs: 008F4CE5
SAS, xrefs: 008F4CC9
SSA, xrefs: 008F4CA6
PhysicalDrive, xrefs: 008F4B76
Fixed, xrefs: 008F4C09
FileBackedVirtual, xrefs: 008F4CEC
ATA, xrefs: 008F4C98
1394, xrefs: 008F4C9F
SSD, xrefs: 008F4C4A
Unknown, xrefs: 008F4BED, 008F4C83
USB, xrefs: 008F4CB4
RAMDisk, xrefs: 008F4BF4
CDROM, xrefs: 008F4BFB
ATAPI, xrefs: 008F4C91
Fibre, xrefs: 008F4CAD
Removable, xrefs: 008F4C10, 008F4C15
MMC, xrefs: 008F4CDE
SCSI, xrefs: 008F4C8A

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: b005deb2743e269cf669ac5f8ca4381b3cd64925f8d85da1dbba15be158cc568
Instruction ID: 4da985bf3ec1291cb17c83299b2b8039b5a19a054d34f676e9dcbbb9125b62ae
Opcode Fuzzy Hash: b005deb2743e269cf669ac5f8ca4381b3cd64925f8d85da1dbba15be158cc568
Instruction Fuzzy Hash: 2C61B4B064520D9BCB14EF38C981D7A77A0FB86718B246017FA06EB292DB35DD41DB52

Function 009173E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00917421
SetTextColor.GDI32(?,?), ref: 00917425
GetSysColorBrush.USER32(0000000F), ref: 0091743B
GetSysColor.USER32(0000000F), ref: 00917446
CreateSolidBrush.GDI32(?), ref: 0091744B
GetSysColor.USER32(00000011), ref: 00917463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00917471
SelectObject.GDI32(?,00000000), ref: 00917482
SetBkColor.GDI32(?,00000000), ref: 0091748B
SelectObject.GDI32(?,?), ref: 00917498
InflateRect.USER32(?,000000FF,000000FF), ref: 009174B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009174CE
GetWindowLongW.USER32(00000000,000000F0), ref: 009174DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0091752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00917554
InflateRect.USER32(?,000000FD,000000FD), ref: 00917572
DrawFocusRect.USER32(?,?), ref: 0091757D
GetSysColor.USER32(00000011), ref: 0091758E
SetTextColor.GDI32(?,00000000), ref: 00917596
DrawTextW.USER32(?,009170F5,000000FF,?,00000000), ref: 009175A8
SelectObject.GDI32(?,?), ref: 009175BF
DeleteObject.GDI32(?), ref: 009175CA
SelectObject.GDI32(?,?), ref: 009175D0
DeleteObject.GDI32(?), ref: 009175D5
SetTextColor.GDI32(?,?), ref: 009175DB
SetBkColor.GDI32(?,?), ref: 009175E5

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c015e1f7b20e6f92f8d4175b4ba5850372e1cb4a6ffaad9ab154b7114c8598be
Instruction ID: 86e7cb32a0c6f0783d2f501b2b33e2ce1df62cdac21847a168b75ffc73ba77c9
Opcode Fuzzy Hash: c015e1f7b20e6f92f8d4175b4ba5850372e1cb4a6ffaad9ab154b7114c8598be
Instruction Fuzzy Hash: 2D6170B2A48219BFDF019FA4DC49EEEBF79EB08320F108115F911AB2A1D7749940DB90

Function 00910FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00911128
GetDesktopWindow.USER32 ref: 0091113D
GetWindowRect.USER32(00000000), ref: 00911144
GetWindowLongW.USER32(?,000000F0), ref: 00911199
DestroyWindow.USER32(?), ref: 009111B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009111ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0091120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0091121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00911232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00911245
IsWindowVisible.USER32(00000000), ref: 009112A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009112BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009112D0
GetWindowRect.USER32(00000000,?), ref: 009112E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0091130E
GetMonitorInfoW.USER32(00000000,?), ref: 00911328
CopyRect.USER32(?,?), ref: 0091133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 009113AA

Strings

0, xrefs: 009110D3
(, xrefs: 0091131B
tooltips_class32, xrefs: 009111E6

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 8c070656961e186f83b6c39d59705311caa23947e6c88e7f0ad3dd4614dcb554
Instruction ID: 42d4628fdc94d2ca32cb0975e6dd5656f4560adbcb8ea24113a041cd9c854f99
Opcode Fuzzy Hash: 8c070656961e186f83b6c39d59705311caa23947e6c88e7f0ad3dd4614dcb554
Instruction Fuzzy Hash: 58B18071608345AFD714DF64C885BAEBBE4FF88750F00891CFA999B2A1C771E885CB52

Function 00898891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00898968
GetSystemMetrics.USER32(00000007), ref: 00898970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0089899B
GetSystemMetrics.USER32(00000008), ref: 008989A3
GetSystemMetrics.USER32(00000004), ref: 008989C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008989E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008989F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00898A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00898A3C
GetClientRect.USER32(00000000,000000FF), ref: 00898A5A
GetStockObject.GDI32(00000011), ref: 00898A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00898A81

Part of subcall function 0089912D: GetCursorPos.USER32(?), ref: 00899141
Part of subcall function 0089912D: ScreenToClient.USER32(00000000,?), ref: 0089915E
Part of subcall function 0089912D: GetAsyncKeyState.USER32(00000001), ref: 00899183
Part of subcall function 0089912D: GetAsyncKeyState.USER32(00000002), ref: 0089919D

SetTimer.USER32(00000000,00000000,00000028,008990FC), ref: 00898AA8

Strings

AutoIt v3 GUI, xrefs: 00898A20

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d7b34262c8470e15601df2e9f086ebaabef2248616f35f028d0f3dcd046bcc36
Instruction ID: 0dfb994e49ecddc587a1fa0f7a430b853283282c617e015cff1a3ddc90b8cc36
Opcode Fuzzy Hash: d7b34262c8470e15601df2e9f086ebaabef2248616f35f028d0f3dcd046bcc36
Instruction Fuzzy Hash: 2CB17A71A4420AEFDF14DFA8D845BAE3BB5FB48315F14422AFA15EB290DB34A840DB51

Function 008E0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008E10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008E1114
Part of subcall function 008E10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,008E0B9B,?,?,?), ref: 008E1120
Part of subcall function 008E10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008E0B9B,?,?,?), ref: 008E112F
Part of subcall function 008E10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008E0B9B,?,?,?), ref: 008E1136
Part of subcall function 008E10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008E114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008E0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008E0E29
GetLengthSid.ADVAPI32(?), ref: 008E0E40
GetAce.ADVAPI32(?,00000000,?), ref: 008E0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008E0E96
GetLengthSid.ADVAPI32(?), ref: 008E0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 008E0EB5
HeapAlloc.KERNEL32(00000000), ref: 008E0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008E0EDD
CopySid.ADVAPI32(00000000), ref: 008E0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008E0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008E0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008E0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008E0F6E
HeapFree.KERNEL32(00000000), ref: 008E0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008E0F7E
HeapFree.KERNEL32(00000000), ref: 008E0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008E0F8E
HeapFree.KERNEL32(00000000), ref: 008E0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 008E0FA1
HeapFree.KERNEL32(00000000), ref: 008E0FA8

Part of subcall function 008E1193: GetProcessHeap.KERNEL32(00000008,008E0BB1,?,00000000,?,008E0BB1,?), ref: 008E11A1
Part of subcall function 008E1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,008E0BB1,?), ref: 008E11A8
Part of subcall function 008E1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,008E0BB1,?), ref: 008E11B7

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: fb52d48b3156ce27381bd84fee9da575eac48f26f3bdc27a2ec118a830295f71
Instruction ID: 20174723025a5cfc942ffdfe4fea0d1ea5c2b38118ba9bae6a93d0a72598f13b
Opcode Fuzzy Hash: fb52d48b3156ce27381bd84fee9da575eac48f26f3bdc27a2ec118a830295f71
Instruction Fuzzy Hash: DF718DB1A0424AABDF209FA5DC44BEEBBB8FF09300F048515F959E6191DB709D55CF60

Function 0090C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0090C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0091CC08,00000000,?,00000000,?,?), ref: 0090C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0090C5A4
_wcslen.LIBCMT ref: 0090C5F4
_wcslen.LIBCMT ref: 0090C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0090C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0090C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0090C84D
RegCloseKey.ADVAPI32(?), ref: 0090C881
RegCloseKey.ADVAPI32(00000000), ref: 0090C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0090C960

Strings

REG_MULTI_SZ, xrefs: 0090C6F5
REG_DWORD, xrefs: 0090C804
REG_EXPAND_SZ, xrefs: 0090C5CD
REG_QWORD, xrefs: 0090C8C3
REG_SZ, xrefs: 0090C644
REG_BINARY, xrefs: 0090C913

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 7b16f56bdc24d7937a60ccee19f7da86ec8cb417744b766eba5ecf645d41b2a7
Instruction ID: 9d326ca60b91fbe0deb0764e1c909ca1ea3811243e1aad4b2f47c5c26141d6ce
Opcode Fuzzy Hash: 7b16f56bdc24d7937a60ccee19f7da86ec8cb417744b766eba5ecf645d41b2a7
Instruction Fuzzy Hash: 3A125A756082019FDB14EF18C881A2AB7E5FF89714F14895CF85A9B3A2DB31FD41CB92

Function 0091091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009109C6
_wcslen.LIBCMT ref: 00910A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00910A54
_wcslen.LIBCMT ref: 00910A8A
_wcslen.LIBCMT ref: 00910B06
_wcslen.LIBCMT ref: 00910B81

Part of subcall function 0089F9F2: _wcslen.LIBCMT ref: 0089F9FD

Part of subcall function 008E2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008E2BFA

Strings

EXPAND, xrefs: 00910BF8
SELECT, xrefs: 00910D11
COLLAPSE, xrefs: 00910B01, 00910B1C
ISCHECKED, xrefs: 00910CE1
GETSELECTED, xrefs: 00910C4E
UNCHECK, xrefs: 00910D3E
GETTOTALCOUNT, xrefs: 009109F2, 00910A17
EXISTS, xrefs: 00910B7C, 00910B97
GETTEXT, xrefs: 00910C97
CHECK, xrefs: 00910A85, 00910AA0
GETITEMCOUNT, xrefs: 00910C1E

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: ef3faf76f620fb7577ae913dfcf5ed81e156b103c1aa016a401f2f7190b7d0ae
Instruction ID: 679f958f000e369d39a2c10792c9dfaebbd09f1d849ddb892d753e50d5e35882
Opcode Fuzzy Hash: ef3faf76f620fb7577ae913dfcf5ed81e156b103c1aa016a401f2f7190b7d0ae
Instruction Fuzzy Hash: A9E19C352083058FCB14EF28C45096AB7E5FFD8318B14895DF8969B3A2D772ED85CB92

Function 0090C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0090B6AE,?,?), ref: 0090C9B5
_wcslen.LIBCMT ref: 0090C9F1
_wcslen.LIBCMT ref: 0090CA68
_wcslen.LIBCMT ref: 0090CA9E
_wcslen.LIBCMT ref: 0090CAF9
_wcslen.LIBCMT ref: 0090CB2F
_wcslen.LIBCMT ref: 0090CB7F

Strings

HKCU, xrefs: 0090CBCE
HKCC, xrefs: 0090CBAC
HKEY_USERS, xrefs: 0090CBDF
HKEY_LOCAL_MACHINE, xrefs: 0090CA62, 0090CA67
HKLM, xrefs: 0090CA98, 0090CA9D
HKEY_CLASSES_ROOT, xrefs: 0090CAF3, 0090CAF8
HKCR, xrefs: 0090CB29, 0090CB2E
HKEY_CURRENT_USER, xrefs: 0090CBBD
HKU, xrefs: 0090CBF0
HKEY_CURRENT_CONFIG, xrefs: 0090CB79, 0090CB7E

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: c7fe1eb85570a211048fdaf9bb2c57643656f8780a9243bf7d5043bf5d4ef757
Instruction ID: 9e235c7fbee0bc8cc0a8affdfa8de3b3261e1c372510964217b9da95f7a7270c
Opcode Fuzzy Hash: c7fe1eb85570a211048fdaf9bb2c57643656f8780a9243bf7d5043bf5d4ef757
Instruction Fuzzy Hash: 7471F3B260016A8FCB20DF6CC9519BF3399ABA1754F650B28FC66E72C5E635CD44C3A1

Function 0091833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0091835A
_wcslen.LIBCMT ref: 0091836E
_wcslen.LIBCMT ref: 00918391
_wcslen.LIBCMT ref: 009183B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009183F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0091361A,?), ref: 0091844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00918487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009184CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00918501
FreeLibrary.KERNEL32(?), ref: 0091850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0091851D
DestroyIcon.USER32(?), ref: 0091852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00918549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00918555

Strings

.dll, xrefs: 009183AB
.icl, xrefs: 00918368
.exe, xrefs: 00918388

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: b4c4d46bbce0fae480c098ff0317982774b7b83bf6b40f1f1cd9d6ff33720d74
Instruction ID: a976b6bf4b43711ce3d3376c018d1774300e24733b96daf734dcc20e643d0331
Opcode Fuzzy Hash: b4c4d46bbce0fae480c098ff0317982774b7b83bf6b40f1f1cd9d6ff33720d74
Instruction Fuzzy Hash: 8C61BDB1644219BAEB149F64CC81BFF77ACFB44B11F108649F815D60E1DFB4A990EBA0

Function 00887778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#requireadmin, xrefs: 008877FF
Unterminated group of comments, xrefs: 008C528C
#comments-end, xrefs: 008878D9
#pragma compile, xrefs: 008877D3
#comments-start, xrefs: 0088785F, 008878B1
Cannot parse #include, xrefs: 008C5279
#ce, xrefs: 008878ED
#include-once, xrefs: 0088782F
#OnAutoItStartRegister, xrefs: 00887817
#cs, xrefs: 00887873, 008878C5
", xrefs: 008C5153
', xrefs: 008C5169
#notrayicon, xrefs: 008877E7
#include, xrefs: 00887847
Bad directive syntax error, xrefs: 008C519A

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 32817e1061aa1805ffdb2a9a80801a62392e16e68724c43485edca012a1db223
Instruction ID: 3d29d337457fd40c4ef9d9d317331fecc4c4946fd3804392f779eb4b97125a6a
Opcode Fuzzy Hash: 32817e1061aa1805ffdb2a9a80801a62392e16e68724c43485edca012a1db223
Instruction Fuzzy Hash: 2B81E271644609ABDF20BF64CC42FAE77B8FF55300F184025F905EA196EB74EA51C7A2

Function 008F3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 008F3EF8
_wcslen.LIBCMT ref: 008F3F03
_wcslen.LIBCMT ref: 008F3F5A
_wcslen.LIBCMT ref: 008F3F98
GetDriveTypeW.KERNEL32(?), ref: 008F3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008F401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008F4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008F4087

Strings

set cd door , xrefs: 008F4028
close cd wait, xrefs: 008F4072
open, xrefs: 008F3F54, 008F3F59
type cdaudio alias cd wait, xrefs: 008F4001
wait, xrefs: 008F4044
close, xrefs: 008F3EFE, 008F3F18
closed, xrefs: 008F3F08, 008F3F2D, 008F3F46, 008F3F7E, 008F3F97
open , xrefs: 008F3FE5

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: cdaa80c179704479269017e6c4cab913781271545680f57a14fa3eca1ed1e55a
Instruction ID: dee0dcfbb93167d29b31f656655416b04761e6a3a815f711eed91d2f62eb756a
Opcode Fuzzy Hash: cdaa80c179704479269017e6c4cab913781271545680f57a14fa3eca1ed1e55a
Instruction Fuzzy Hash: 19718A726042069FC710EF38C88087AB7E4FF95758F104929FA95D7251EB31DE45CB92

Function 008E5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 008E5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 008E5A40
SetWindowTextW.USER32(?,?), ref: 008E5A57
GetDlgItem.USER32(?,000003EA), ref: 008E5A6C
SetWindowTextW.USER32(00000000,?), ref: 008E5A72
GetDlgItem.USER32(?,000003E9), ref: 008E5A82
SetWindowTextW.USER32(00000000,?), ref: 008E5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 008E5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 008E5AC3
GetWindowRect.USER32(?,?), ref: 008E5ACC
_wcslen.LIBCMT ref: 008E5B33
SetWindowTextW.USER32(?,?), ref: 008E5B6F
GetDesktopWindow.USER32 ref: 008E5B75
GetWindowRect.USER32(00000000), ref: 008E5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 008E5BD3
GetClientRect.USER32(?,?), ref: 008E5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 008E5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 008E5C2F

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: ed8c36929be71f15f3623266f1e874f02027933629d8b7c2bd0a1b3828300aff
Instruction ID: 15196a67065f35e9b57321df55426017351ddcce8993ea03fb11e14c4f20a7aa
Opcode Fuzzy Hash: ed8c36929be71f15f3623266f1e874f02027933629d8b7c2bd0a1b3828300aff
Instruction Fuzzy Hash: CA718D71A00B49AFDB20DFA9CE85AAEBBF5FF48718F104918E542E25A0D774E940DB50

Function 008FFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 008FFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 008FFE32
LoadCursorW.USER32(00000000,00007F00), ref: 008FFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 008FFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 008FFE53
LoadCursorW.USER32(00000000,00007F01), ref: 008FFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 008FFE69
LoadCursorW.USER32(00000000,00007F88), ref: 008FFE74
LoadCursorW.USER32(00000000,00007F80), ref: 008FFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 008FFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 008FFE95
LoadCursorW.USER32(00000000,00007F85), ref: 008FFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 008FFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 008FFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 008FFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 008FFECC
GetCursorInfo.USER32(?), ref: 008FFEDC
GetLastError.KERNEL32 ref: 008FFF1E

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 7876286858072becb1f7eba1bc563a9d2e46d7c2b3f1690ee2340fcd700eda74
Instruction ID: 0bab2c7c1d20f13ffc74d70bb9e7a09f588b17f80342ae34bb7b6d87c8416195
Opcode Fuzzy Hash: 7876286858072becb1f7eba1bc563a9d2e46d7c2b3f1690ee2340fcd700eda74
Instruction Fuzzy Hash: C74145B0E483196ADB10DFBA8C8586EBFE8FF04754B50452AF21DE7291DB789901CF91

Function 008A00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008A00C6

Part of subcall function 008A00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0095070C,00000FA0,B7A21EF2,?,?,?,?,008C23B3,000000FF), ref: 008A011C
Part of subcall function 008A00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008C23B3,000000FF), ref: 008A0127
Part of subcall function 008A00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008C23B3,000000FF), ref: 008A0138
Part of subcall function 008A00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 008A014E
Part of subcall function 008A00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 008A015C
Part of subcall function 008A00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 008A016A
Part of subcall function 008A00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008A0195
Part of subcall function 008A00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008A01A0

___scrt_fastfail.LIBCMT ref: 008A00E7

Part of subcall function 008A00A3: __onexit.LIBCMT ref: 008A00A9

Strings

InitializeConditionVariable, xrefs: 008A0148
WakeAllConditionVariable, xrefs: 008A0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 008A0122
SleepConditionVariableCS, xrefs: 008A0154
kernel32.dll, xrefs: 008A0133

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: a4f943a99520fe4e4362238ab58b472d2b582c9cebd403a789ec3aedde9c5eee
Instruction ID: 01b87f1f4c35cf314a45e9840429500e490af5b99220a27b3130c6e5b78717d5
Opcode Fuzzy Hash: a4f943a99520fe4e4362238ab58b472d2b582c9cebd403a789ec3aedde9c5eee
Instruction Fuzzy Hash: D321497279C7056FFB106B68AC16FE933A4FB86B55F004139F901D66D1DB749800CE91

Function 008E30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008E318D
_wcslen.LIBCMT ref: 008E31F8

Strings

NAME, xrefs: 008E3335, 008E3346
CLASSNN, xrefs: 008E31F3, 008E3204
TEXT, xrefs: 008E347C
REGEXPCLASS, xrefs: 008E3255, 008E3266
CLASS, xrefs: 008E3188, 008E31A5
INSTANCE, xrefs: 008E3453

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: f337577a6680d60deb33c67039db08ad75a72657771b03d9f181af235e003b87
Instruction ID: 948c2ba2df51d9bc80de1f41e0a7534da51f8acee08907d2c9300aad1e28e3cd
Opcode Fuzzy Hash: f337577a6680d60deb33c67039db08ad75a72657771b03d9f181af235e003b87
Instruction Fuzzy Hash: 92E12632A00656ABCB18DFB9C449BEEFBB0FF56714F548129E456F3280DB30AE458790

Function 008F44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0091CC08), ref: 008F4527
_wcslen.LIBCMT ref: 008F453B
_wcslen.LIBCMT ref: 008F4599
_wcslen.LIBCMT ref: 008F45F4
_wcslen.LIBCMT ref: 008F463F
_wcslen.LIBCMT ref: 008F46A7

Part of subcall function 0089F9F2: _wcslen.LIBCMT ref: 0089F9FD

GetDriveTypeW.KERNEL32(?,00946BF0,00000061), ref: 008F4743

Strings

cdrom, xrefs: 008F458F, 008F4594
fixed, xrefs: 008F4635, 008F463A
ramdisk, xrefs: 008F46F1
removable, xrefs: 008F45EA, 008F45EF
unknown, xrefs: 008F4708
all, xrefs: 008F4531, 008F4536
network, xrefs: 008F469D, 008F46A2

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: f873249776e219231aabc8b0f7cec2577670d4787071039f22869b36004e9c1f
Instruction ID: cbd25c716e52a4e1ae0147e948018b9483ca89c81302b1117ada9a6077f32030
Opcode Fuzzy Hash: f873249776e219231aabc8b0f7cec2577670d4787071039f22869b36004e9c1f
Instruction Fuzzy Hash: EBB1B9716083069BC710EF38C890A7BB7E5FFA6724F50591AF696C7291E730D944CB62

Function 00903FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0091CC08), ref: 009040BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009040CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0091CC08), ref: 009040F2
FreeLibrary.KERNEL32(00000000,?,0091CC08), ref: 0090413E
StringFromGUID2.OLE32(?,?,00000028,?,0091CC08), ref: 009041A8
SysFreeString.OLEAUT32(00000009), ref: 00904262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009042C8
SysFreeString.OLEAUT32(?), ref: 009042F2

Strings

GetModuleHandleExW, xrefs: 009040C7
kernel32.dll, xrefs: 009040B6

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: e5e0d6ad6a12cc76c1abebee03f64c6b9b0808768ba0d195abb964b98a129203
Instruction ID: 1c831eca54f2d4ee4a5d0a02d62247438e617ad0048845a5d0ad5dd77aa93d64
Opcode Fuzzy Hash: e5e0d6ad6a12cc76c1abebee03f64c6b9b0808768ba0d195abb964b98a129203
Instruction Fuzzy Hash: 85122FB5A00119EFDB14DF54C884EAEB7B9FF45314F248498FA05AB2A1D731ED46CBA0

Function 0088326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00951990), ref: 008C2F8D
GetMenuItemCount.USER32(00951990), ref: 008C303D
GetCursorPos.USER32(?), ref: 008C3081
SetForegroundWindow.USER32(00000000), ref: 008C308A
TrackPopupMenuEx.USER32(00951990,00000000,?,00000000,00000000,00000000), ref: 008C309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008C30A9

Strings

0, xrefs: 0088327D

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 0deae1438a48011b0496c6871a3994237ac7824d39a073a6b90f14a6991e0d52
Instruction ID: 13a0650e79e2aed2ccb42327deafa337bbddb2f4da6e57811d080e82cacf5ecc
Opcode Fuzzy Hash: 0deae1438a48011b0496c6871a3994237ac7824d39a073a6b90f14a6991e0d52
Instruction Fuzzy Hash: 84711771644209BEEB219F29DC49FAABF75FF01764F20421AF524EA1E0C7B1E910DB91

Function 00916CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00916DEB

Part of subcall function 00886B57: _wcslen.LIBCMT ref: 00886B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00916E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00916E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00916E94
DestroyWindow.USER32(?), ref: 00916EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00880000,00000000), ref: 00916EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00916EFD
GetDesktopWindow.USER32 ref: 00916F16
GetWindowRect.USER32(00000000), ref: 00916F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00916F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00916F4D

Part of subcall function 00899944: GetWindowLongW.USER32(?,000000EB), ref: 00899952

Strings

tooltips_class32, xrefs: 00916E58, 00916EDD
0, xrefs: 00916D98

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 25dc7cb58c7330f0ffc597f08e32a29ee1c183c2465f12230ffdd59e0f4a3a70
Instruction ID: 98f272b6b6e7a12d61641dd4ca543fb17061f2a6e872a1a11c0435ade4cdcdbc
Opcode Fuzzy Hash: 25dc7cb58c7330f0ffc597f08e32a29ee1c183c2465f12230ffdd59e0f4a3a70
Instruction Fuzzy Hash: 84718AB0644349AFDB21CF18DC58FAABBE9FB88304F04451DF99987261C770E946DB11

Function 0091911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2

DragQueryPoint.SHELL32(?,?), ref: 00919147

Part of subcall function 00917674: ClientToScreen.USER32(?,?), ref: 0091769A
Part of subcall function 00917674: GetWindowRect.USER32(?,?), ref: 00917710
Part of subcall function 00917674: PtInRect.USER32(?,?,00918B89), ref: 00917720

SendMessageW.USER32(?,000000B0,?,?), ref: 009191B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009191BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009191DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00919225
SendMessageW.USER32(?,000000B0,?,?), ref: 0091923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00919255
SendMessageW.USER32(?,000000B1,?,?), ref: 00919277
DragFinish.SHELL32(?), ref: 0091927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00919371

Strings

@GUI_DRAGID, xrefs: 009192E9
@GUI_DRAGFILE, xrefs: 00919320
@GUI_DROPID, xrefs: 0091929E

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 17ab193be30a3a81939528f49d91cf708791e962db6ce4e4fd1a699d456ba2e6
Instruction ID: c35d575db3d75c85ff4de02e3ee3faa73ad88161e975148fa4e3e19f77003344
Opcode Fuzzy Hash: 17ab193be30a3a81939528f49d91cf708791e962db6ce4e4fd1a699d456ba2e6
Instruction Fuzzy Hash: 0F618B71208305AFD701EF64DC95EAFBBE8FF89750F00092EF5A5921A0DB309A49CB52

Function 008FC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008FC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 008FC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 008FC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 008FC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 008FC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 008FC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008FC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008FC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 008FC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 008FC5F0
InternetCloseHandle.WININET(00000000), ref: 008FC5FB

Strings

, xrefs: 008FC575

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 0b310d6a00d04abed81cc243b509cc6eb4aa7c298ab973238545ab5f4d7407ee
Instruction ID: 2acc107d6cd43a378f4239b333c54aaa42d15b19741dea6ff9b50514e474c6f5
Opcode Fuzzy Hash: 0b310d6a00d04abed81cc243b509cc6eb4aa7c298ab973238545ab5f4d7407ee
Instruction Fuzzy Hash: 21513AB164460DBFDB218F74CA88ABB7BBCFB08754F008419FA45D6250DB74EA44EB60

Function 0091856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00918592
GetFileSize.KERNEL32(00000000,00000000), ref: 009185A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 009185AD
CloseHandle.KERNEL32(00000000), ref: 009185BA
GlobalLock.KERNEL32(00000000), ref: 009185C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 009185D7
GlobalUnlock.KERNEL32(00000000), ref: 009185E0
CloseHandle.KERNEL32(00000000), ref: 009185E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 009185F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0091FC38,?), ref: 00918611
GlobalFree.KERNEL32(00000000), ref: 00918621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00918641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00918671
DeleteObject.GDI32(00000000), ref: 00918699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009186AF

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: b040e3c9b2692096bfa12f8156b4a850213075b0c67b62ebbbd0f6bb1de13971
Instruction ID: 06efb53a48bd96c642907bb0f710df15bbff27e06247742e828c54f759c846c8
Opcode Fuzzy Hash: b040e3c9b2692096bfa12f8156b4a850213075b0c67b62ebbbd0f6bb1de13971
Instruction Fuzzy Hash: 704136B1744208AFDB118FA5CC88EAB7BBDEB89B51F108058F915E7260DB309941EB20

Function 008F14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 008F1502
VariantCopy.OLEAUT32(?,?), ref: 008F150B
VariantClear.OLEAUT32(?), ref: 008F1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008F15FB
VarR8FromDec.OLEAUT32(?,?), ref: 008F1657
VariantInit.OLEAUT32(?), ref: 008F1708
SysFreeString.OLEAUT32(?), ref: 008F178C
VariantClear.OLEAUT32(?), ref: 008F17D8
VariantClear.OLEAUT32(?), ref: 008F17E7
VariantInit.OLEAUT32(00000000), ref: 008F1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 008F1625
Default, xrefs: 008F16AF

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 3f292ac8adf3eb256b86669b4b2ed8f64ab68b911b52db969881fd109da08ea6
Instruction ID: 04e53a37537815baa663c9924ffeeeb90934c6bbf4d693ac294b004ca55806a5
Opcode Fuzzy Hash: 3f292ac8adf3eb256b86669b4b2ed8f64ab68b911b52db969881fd109da08ea6
Instruction Fuzzy Hash: 60D1DE71A0411DDBDF04AF79D888AB9B7B6FF48704F148056E646EB591DB30EC40DBA2

Function 0090B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

Part of subcall function 0090C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0090B6AE,?,?), ref: 0090C9B5
Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090C9F1
Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090CA68
Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0090B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0090B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0090B80A
RegCloseKey.ADVAPI32(?), ref: 0090B87E
RegCloseKey.ADVAPI32(?), ref: 0090B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0090B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0090B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0090B922
FreeLibrary.KERNEL32(00000000), ref: 0090B983
RegCloseKey.ADVAPI32(00000000), ref: 0090B994

Strings

RegDeleteKeyExW, xrefs: 0090B8FE
advapi32.dll, xrefs: 0090B8ED

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 2648d897019f6ccfb8c0301ce7b574bf36f84278180189c608f9c9b019d6bcad
Instruction ID: e88b56bef57a0662ed542eecca414400ea28a7ee1ee279acad5379d01a275a61
Opcode Fuzzy Hash: 2648d897019f6ccfb8c0301ce7b574bf36f84278180189c608f9c9b019d6bcad
Instruction Fuzzy Hash: D9C18C31208201AFD714DF18C494F2ABBE5FF84318F14855CE5AA8B6A2CB75ED45CB92

Function 0090255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009025D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009025E8
CreateCompatibleDC.GDI32(?), ref: 009025F4
SelectObject.GDI32(00000000,?), ref: 00902601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0090266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009026AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009026D0
SelectObject.GDI32(?,?), ref: 009026D8
DeleteObject.GDI32(?), ref: 009026E1
DeleteDC.GDI32(?), ref: 009026E8
ReleaseDC.USER32(00000000,?), ref: 009026F3

Strings

(, xrefs: 0090268D

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: dd73e96979e2b2c45b637691a51191ca2dbdad0600b834669022b6818548fe64
Instruction ID: 67a92bc8343359dc2f700488c27d27521bd9db9328b3a13bbd8ca023d3be9fe7
Opcode Fuzzy Hash: dd73e96979e2b2c45b637691a51191ca2dbdad0600b834669022b6818548fe64
Instruction Fuzzy Hash: E961F4B5E04219EFCF04CFA8D884AAEBBF5FF48310F24852AE955A7250D771A941DF50

Function 008BDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 008BDAA1

Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD659
Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD66B
Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD67D
Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD68F
Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD6A1
Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD6B3
Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD6C5
Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD6D7
Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD6E9
Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD6FB
Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD70D
Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD71F
Part of subcall function 008BD63C: _free.LIBCMT ref: 008BD731

_free.LIBCMT ref: 008BDA96

Part of subcall function 008B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000), ref: 008B29DE
Part of subcall function 008B29C8: GetLastError.KERNEL32(00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000,00000000), ref: 008B29F0

_free.LIBCMT ref: 008BDAB8
_free.LIBCMT ref: 008BDACD
_free.LIBCMT ref: 008BDAD8
_free.LIBCMT ref: 008BDAFA
_free.LIBCMT ref: 008BDB0D
_free.LIBCMT ref: 008BDB1B
_free.LIBCMT ref: 008BDB26
_free.LIBCMT ref: 008BDB5E
_free.LIBCMT ref: 008BDB65
_free.LIBCMT ref: 008BDB82
_free.LIBCMT ref: 008BDB9A

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 3c7b9a7111da753cabaad66ca859c32d0d99fe00c2cb7c0590ce51ce036f91da
Instruction ID: 679876610363265a5d2ea64d818cef61176d1e2f7c4714e98fe648019951a951
Opcode Fuzzy Hash: 3c7b9a7111da753cabaad66ca859c32d0d99fe00c2cb7c0590ce51ce036f91da
Instruction Fuzzy Hash: F0312C71644705BFEB21AA39E845FDABBE9FF10320F154819E449D7392EE31AC448725

Function 008E365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 008E369C
_wcslen.LIBCMT ref: 008E36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 008E3797
GetClassNameW.USER32(?,?,00000400), ref: 008E380C
GetDlgCtrlID.USER32(?), ref: 008E385D
GetWindowRect.USER32(?,?), ref: 008E3882
GetParent.USER32(?), ref: 008E38A0
ScreenToClient.USER32(00000000), ref: 008E38A7
GetClassNameW.USER32(?,?,00000100), ref: 008E3921
GetWindowTextW.USER32(?,?,00000400), ref: 008E395D

Strings

%s%u, xrefs: 008E3734

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: c07eac72828ee507568d8224d84107d97fde58430c39a29cd7b04ba4643bd07c
Instruction ID: 5a2673dedc5a297b2d058a6e73716a680fa48e7a00d0a4aa59d85be6f28b1131
Opcode Fuzzy Hash: c07eac72828ee507568d8224d84107d97fde58430c39a29cd7b04ba4643bd07c
Instruction Fuzzy Hash: F591D171204746AFD718EF26C889BEAB7A8FF46350F008529F999D3191DB30EE45CB91

Function 008E4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 008E4994
GetWindowTextW.USER32(?,?,00000400), ref: 008E49DA
_wcslen.LIBCMT ref: 008E49EB
CharUpperBuffW.USER32(?,00000000), ref: 008E49F7
_wcsstr.LIBVCRUNTIME ref: 008E4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 008E4A64
GetWindowTextW.USER32(?,?,00000400), ref: 008E4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 008E4AE6
GetClassNameW.USER32(?,?,00000400), ref: 008E4B20
GetWindowRect.USER32(?,?), ref: 008E4B8B

Strings

ThumbnailClass, xrefs: 008E4A6F, 008E4AF1

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 814daae21ab2e000f8b4d5dd0b66f1711f8a6a863d6cefa0094063e9ccd2b0b9
Instruction ID: 80cc8fd69cd95944f20b86400f7e5fa81ade602913cd5b06c3ed0dbd37f5193d
Opcode Fuzzy Hash: 814daae21ab2e000f8b4d5dd0b66f1711f8a6a863d6cefa0094063e9ccd2b0b9
Instruction Fuzzy Hash: 5B91EE711082469FDB04DF56C884FAA77E8FF86324F049469FD89DA096DB30ED45CBA2

Function 008EBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00951990,000000FF,00000000,00000030), ref: 008EBFAC
SetMenuItemInfoW.USER32(00951990,00000004,00000000,00000030), ref: 008EBFE1
Sleep.KERNEL32(000001F4), ref: 008EBFF3
GetMenuItemCount.USER32(?), ref: 008EC039
GetMenuItemID.USER32(?,00000000), ref: 008EC056
GetMenuItemID.USER32(?,-00000001), ref: 008EC082
GetMenuItemID.USER32(?,?), ref: 008EC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008EC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008EC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008EC145

Strings

0, xrefs: 008EBF3D

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 150e881c1fe9a93c4bd307e2c5ff62ff57b9846d6e906594e5b00ced2e24b0bf
Instruction ID: c3c0bcdb115475e966d838c59987ad29ce011681aac12761c171459bec323724
Opcode Fuzzy Hash: 150e881c1fe9a93c4bd307e2c5ff62ff57b9846d6e906594e5b00ced2e24b0bf
Instruction Fuzzy Hash: 87616CB0A1428AAFDB11CF69DD88AEEBBA9FB06344F104055F811E3291C731AD06DB61

Function 0090CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0090CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0090CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0090CD48

Part of subcall function 0090CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0090CCAA
Part of subcall function 0090CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0090CCBD
Part of subcall function 0090CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0090CCCF
Part of subcall function 0090CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0090CD05
Part of subcall function 0090CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0090CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0090CCF3

Strings

RegDeleteKeyExW, xrefs: 0090CCC9
advapi32.dll, xrefs: 0090CCB8

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 337127ed5e4d067ae9bc1252a68191fb25787b7851e9d9efc03930fc7c3c949e
Instruction ID: e48131fe300328eee3bce47af7d8c4c23913f939a9d1ce399bec2796aa59f11d
Opcode Fuzzy Hash: 337127ed5e4d067ae9bc1252a68191fb25787b7851e9d9efc03930fc7c3c949e
Instruction Fuzzy Hash: 3C3161B1A45129BFDB208B94DC88EFFBB7CEF45750F004665B906E2290D7349E45EAA0

Function 008F3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008F3D40
_wcslen.LIBCMT ref: 008F3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 008F3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 008F3DBE
RemoveDirectoryW.KERNEL32(?), ref: 008F3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 008F3E55
CloseHandle.KERNEL32(00000000), ref: 008F3E60
CloseHandle.KERNEL32(00000000), ref: 008F3E6B

Strings

\, xrefs: 008F3D77
\??\%s, xrefs: 008F3D5B
:, xrefs: 008F3D82

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 620e097da3d35034ac0449f94d94e07ddd8fe7d8b6b97978cfdd9b217c378cbc
Instruction ID: 50501bd0e42dde45b7e1942ff165ce6f9a927b5fb5d579c028a71f350b128fbe
Opcode Fuzzy Hash: 620e097da3d35034ac0449f94d94e07ddd8fe7d8b6b97978cfdd9b217c378cbc
Instruction Fuzzy Hash: 5A31AFB2A54219ABDB21ABA4DC49FEF37BDFF89740F1040A5F619D6060EB709744CB24

Function 008EE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 008EE6B4

Part of subcall function 0089E551: timeGetTime.WINMM(?,?,008EE6D4), ref: 0089E555

Sleep.KERNEL32(0000000A), ref: 008EE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 008EE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 008EE727
SetActiveWindow.USER32 ref: 008EE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008EE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 008EE773
Sleep.KERNEL32(000000FA), ref: 008EE77E
IsWindow.USER32 ref: 008EE78A
EndDialog.USER32(00000000), ref: 008EE79B

Strings

BUTTON, xrefs: 008EE719

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: c7eb7390ab60e7d7f1e1fc8e0f5c8438b99db82e562bce93474dd7e3bc2e9f54
Instruction ID: b4c69ac434c183c497a4e4d6c9ba4699950539782f56dd0ca62c3a1b597c05c4
Opcode Fuzzy Hash: c7eb7390ab60e7d7f1e1fc8e0f5c8438b99db82e562bce93474dd7e3bc2e9f54
Instruction Fuzzy Hash: 192181B036C785AFEB105F26EC89B693B69F75634AF104425F415C21B1DB71AC00EB25

Function 008EE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008EEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008EEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008EEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 008EEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 008EEAA7

Strings

play PlayMe, xrefs: 008EEAA2
close PlayMe, xrefs: 008EEA6E, 008EEA9B
alias PlayMe, xrefs: 008EEA36
status PlayMe mode, xrefs: 008EEA58
play PlayMe wait, xrefs: 008EEA91
open , xrefs: 008EEA0C

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: ec4ca47b5c253451ce7829cb57f95a0dcec926f341a58ee9f2bfd367126bd7cf
Instruction ID: d43589d2128691948fbbf43f246d37a38fdf02bd1076b584f38a98bdd35b3883
Opcode Fuzzy Hash: ec4ca47b5c253451ce7829cb57f95a0dcec926f341a58ee9f2bfd367126bd7cf
Instruction Fuzzy Hash: 0611547165026979D730B766DC4ADFF6A7CFBD2B44F000429B401E20D1EAB04A05C6B2

Function 008E9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008EA012
SetKeyboardState.USER32(?), ref: 008EA07D
GetAsyncKeyState.USER32(000000A0), ref: 008EA09D
GetKeyState.USER32(000000A0), ref: 008EA0B4
GetAsyncKeyState.USER32(000000A1), ref: 008EA0E3
GetKeyState.USER32(000000A1), ref: 008EA0F4
GetAsyncKeyState.USER32(00000011), ref: 008EA120
GetKeyState.USER32(00000011), ref: 008EA12E
GetAsyncKeyState.USER32(00000012), ref: 008EA157
GetKeyState.USER32(00000012), ref: 008EA165
GetAsyncKeyState.USER32(0000005B), ref: 008EA18E
GetKeyState.USER32(0000005B), ref: 008EA19C

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 904dc6d5ca9fce4ff15cc53f8b193a4ede0a8c277767ff984d31a1b292ead262
Instruction ID: 43610fe00a66fbc898ad9522059803327b1c59a2acbabc4531e89b026c5e9f5c
Opcode Fuzzy Hash: 904dc6d5ca9fce4ff15cc53f8b193a4ede0a8c277767ff984d31a1b292ead262
Instruction Fuzzy Hash: C251EB206087C869FB39DB6684107EABFB5EF13780F088599D5C2D71C2DA94BA4CC763

Function 008E5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 008E5CE2
GetWindowRect.USER32(00000000,?), ref: 008E5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 008E5D59
GetDlgItem.USER32(?,00000002), ref: 008E5D69
GetWindowRect.USER32(00000000,?), ref: 008E5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 008E5DCF
GetDlgItem.USER32(?,000003E9), ref: 008E5DDD
GetWindowRect.USER32(00000000,?), ref: 008E5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 008E5E31
GetDlgItem.USER32(?,000003EA), ref: 008E5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 008E5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 008E5E67

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: ab57e5a0f902e2b0f8f4899875b699a9923d790a88e9308fb8083955c20f9318
Instruction ID: 9816faec88fe601aefc7a94dfc97d9cc5a1bcfa6daf3edbc54a4d5710719a3e0
Opcode Fuzzy Hash: ab57e5a0f902e2b0f8f4899875b699a9923d790a88e9308fb8083955c20f9318
Instruction Fuzzy Hash: 63513FB0B5060AAFDF18CF69CD89AAEBBB5FB49304F108129F515E7290D770AE00CB50

Function 00898BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00898F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00898BE8,?,00000000,?,?,?,?,00898BBA,00000000,?), ref: 00898FC5

DestroyWindow.USER32(?), ref: 00898C81
KillTimer.USER32(00000000,?,?,?,?,00898BBA,00000000,?), ref: 00898D1B
DestroyAcceleratorTable.USER32(00000000), ref: 008D6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00898BBA,00000000,?), ref: 008D69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00898BBA,00000000,?), ref: 008D69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00898BBA,00000000), ref: 008D69D4
DeleteObject.GDI32(00000000), ref: 008D69E6

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: f4b351f00408f8ad675913bddc68b59b658a84d739db585fe37345ec64d9daba
Instruction ID: 08682a6297f7a8b5f27f5ab7e68571e6ba904bfc7a11aceaf604c2fbad8c2ad4
Opcode Fuzzy Hash: f4b351f00408f8ad675913bddc68b59b658a84d739db585fe37345ec64d9daba
Instruction Fuzzy Hash: 9061BD3051A71ADFCF25AF19D958B2977F1FB4131AF188519E082DB6A0CB31AD90EF90

Function 00899838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00899944: GetWindowLongW.USER32(?,000000EB), ref: 00899952

GetSysColor.USER32(0000000F), ref: 00899862

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 9b897d9e00853d7113078bce80a2274224dcf688230ca7767a9a7e837c886f04
Instruction ID: 1937afdbb3c5c4b1ba454f3444782ea712dfbbe077d1469f573415367a4c612b
Opcode Fuzzy Hash: 9b897d9e00853d7113078bce80a2274224dcf688230ca7767a9a7e837c886f04
Instruction Fuzzy Hash: 6D418E71248644AEDF216F3C9C84BB93B65FB06321F18465DF9E2D62E1E7319841EB11

Function 008E96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,008CF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 008E9717
LoadStringW.USER32(00000000,?,008CF7F8,00000001), ref: 008E9720

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,008CF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 008E9742
LoadStringW.USER32(00000000,?,008CF7F8,00000001), ref: 008E9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 008E9866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 008E984A
^ ERROR, xrefs: 008E97FB
Line %d:, xrefs: 008E97A0
Line %d (File "%s"):, xrefs: 008E978F
Error: , xrefs: 008E981D

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 0000ca38fcf038177a645859c3f9e384ac50b24ece5ff5dd341e0de6c4b4e310
Instruction ID: 0b239099834212698a0bedbdf34eff0d881cf1ceb732891f22e7cff7c3b390fe
Opcode Fuzzy Hash: 0000ca38fcf038177a645859c3f9e384ac50b24ece5ff5dd341e0de6c4b4e310
Instruction Fuzzy Hash: C9416B72904219AACF04FBE8DD86DEE7778FF56740F140025F201B2092EA756F48CB62

Function 008E06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00886B57: _wcslen.LIBCMT ref: 00886B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008E07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008E07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008E07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 008E0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 008E082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008E0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008E083C

Strings

\IPC$, xrefs: 008E0784
SOFTWARE\Classes\, xrefs: 008E070E
\CLSID, xrefs: 008E0724

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 842a480d94b72d2c4bc195bca09fc92e9bd199ae34cc68c6eeb9b328cf9c898a
Instruction ID: 355aec2ebb88123a00a81df870648e75bc2ab7c10defd68ec551040de7e5fbd9
Opcode Fuzzy Hash: 842a480d94b72d2c4bc195bca09fc92e9bd199ae34cc68c6eeb9b328cf9c898a
Instruction Fuzzy Hash: 5A413A72C10229ABDF15EBA4DC85CEDB778FF08350F054129E911A31A1EB709E44CF91

Function 00913F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0091403B
CreateCompatibleDC.GDI32(00000000), ref: 00914042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00914055
SelectObject.GDI32(00000000,00000000), ref: 0091405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00914068
DeleteDC.GDI32(00000000), ref: 00914072
GetWindowLongW.USER32(?,000000EC), ref: 0091407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00914092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0091409E

Strings

static, xrefs: 00913FD3

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 65c54a6ac04c84635f4e2ec69dca7aab7beb726f499c5cdcaed57ef795fffdf1
Instruction ID: 82933501e67733bf92fe4b7e689d7a6ec09232be87d2512d2654dc32e6bb769a
Opcode Fuzzy Hash: 65c54a6ac04c84635f4e2ec69dca7aab7beb726f499c5cdcaed57ef795fffdf1
Instruction Fuzzy Hash: 93318E72654219BBDF229FA4CC08FDA3B69FF0D364F114210FA18E61A0C775D860EB50

Function 00903C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00903C5C
CoInitialize.OLE32(00000000), ref: 00903C8A
CoUninitialize.OLE32 ref: 00903C94
_wcslen.LIBCMT ref: 00903D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00903DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00903ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00903F0E
CoGetObject.OLE32(?,00000000,0091FB98,?), ref: 00903F2D
SetErrorMode.KERNEL32(00000000), ref: 00903F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00903FC4
VariantClear.OLEAUT32(?), ref: 00903FD8

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 034a856722984b3079a5f7d23ccb2b4279b8aa558d38ca44b7d4d7ca3efeaa3d
Instruction ID: e4abca37857fe76834ea6d23c4fc1ba0ef83148f690be9c8e6f3915e797d3acf
Opcode Fuzzy Hash: 034a856722984b3079a5f7d23ccb2b4279b8aa558d38ca44b7d4d7ca3efeaa3d
Instruction Fuzzy Hash: D9C123B16082059FD700DF68C88496BBBE9FF89744F14891DF98ADB290D731EE05CB52

Function 008F7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 008F7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 008F7B8F
SHGetDesktopFolder.SHELL32(?), ref: 008F7BA3
CoCreateInstance.OLE32(0091FD08,00000000,00000001,00946E6C,?), ref: 008F7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 008F7C74
CoTaskMemFree.OLE32(?,?), ref: 008F7CCC
SHBrowseForFolderW.SHELL32(?), ref: 008F7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 008F7D7A
CoTaskMemFree.OLE32(00000000), ref: 008F7D81
CoTaskMemFree.OLE32(00000000), ref: 008F7DD6
CoUninitialize.OLE32 ref: 008F7DDC

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 856ea73fa932ab99916b8a8415a32da98fa508618ef194888e4e4a93d56c34d3
Instruction ID: a748b13d6aeed02e8ffc543aaa9cf8db1096004b13bcb5da931cf3eaf42e29c6
Opcode Fuzzy Hash: 856ea73fa932ab99916b8a8415a32da98fa508618ef194888e4e4a93d56c34d3
Instruction Fuzzy Hash: ADC11B75A04109AFDB14DFA8C884DAEBBF9FF48314B148499E919DB361D730EE45CB90

Function 0091541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00915504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00915515
CharNextW.USER32(00000158), ref: 00915544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00915585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0091559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009155AC

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: ab424eb06ab5b3f5fb1650b317b816bdeab1926aa0b599eccbfc0207ebcf12c3
Instruction ID: 6b4aad1f044ec730aba7b41aa493c753341e80670b9e7b134e0f9db71309f041
Opcode Fuzzy Hash: ab424eb06ab5b3f5fb1650b317b816bdeab1926aa0b599eccbfc0207ebcf12c3
Instruction Fuzzy Hash: 7A61B170B0460DEFDF108F55CC84AFE7BB9EB89360F528545F525A62A0D7748AC0DB61

Function 008DFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 008DFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 008DFB08
VariantInit.OLEAUT32(?), ref: 008DFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 008DFB3A
VariantCopy.OLEAUT32(?,?), ref: 008DFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 008DFBA1
VariantClear.OLEAUT32(?), ref: 008DFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 008DFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008DFBCC
VariantClear.OLEAUT32(?), ref: 008DFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008DFBE9

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 67e374b3ae18194f9fd77b8f0044e8d5e628abb88ad23f37d4db530ca124ba59
Instruction ID: 77bf5a954be407dc385ed49ff952e30ba05723efcf303b0289a5a334c9a14749
Opcode Fuzzy Hash: 67e374b3ae18194f9fd77b8f0044e8d5e628abb88ad23f37d4db530ca124ba59
Instruction Fuzzy Hash: A5415275A04219AFDB00DF68D8549EDBBB9FF08354F00816AE946E7361CB30A945DF91

Function 008E9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008E9CA1
GetAsyncKeyState.USER32(000000A0), ref: 008E9D22
GetKeyState.USER32(000000A0), ref: 008E9D3D
GetAsyncKeyState.USER32(000000A1), ref: 008E9D57
GetKeyState.USER32(000000A1), ref: 008E9D6C
GetAsyncKeyState.USER32(00000011), ref: 008E9D84
GetKeyState.USER32(00000011), ref: 008E9D96
GetAsyncKeyState.USER32(00000012), ref: 008E9DAE
GetKeyState.USER32(00000012), ref: 008E9DC0
GetAsyncKeyState.USER32(0000005B), ref: 008E9DD8
GetKeyState.USER32(0000005B), ref: 008E9DEA

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 78ce97c6894d074268003889a85e6fe107b873f452faad2f518254770b49fee2
Instruction ID: 8a97093899e5a2f557fb1d8ad318c4772e856e3b71af665ed46263556c2eb36f
Opcode Fuzzy Hash: 78ce97c6894d074268003889a85e6fe107b873f452faad2f518254770b49fee2
Instruction Fuzzy Hash: 1641D8746087DA6DFF30966688043F5BEA1FF13344F04805ADAC6D66C2DBE499C8C792

Function 0090055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009005BC
inet_addr.WSOCK32(?), ref: 0090061C
gethostbyname.WSOCK32(?), ref: 00900628
IcmpCreateFile.IPHLPAPI ref: 00900636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009006C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009006E5
IcmpCloseHandle.IPHLPAPI(?), ref: 009007B9
WSACleanup.WSOCK32 ref: 009007BF

Strings

Ping, xrefs: 00900676

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: ab5ad2d350beca67e32b57f084ba719cc8d9ce5191a9b7c5254a85742df23cf4
Instruction ID: 6889d271c61cac902fa9b7bb747e571e419061e093cf3b58a9666472f780ec58
Opcode Fuzzy Hash: ab5ad2d350beca67e32b57f084ba719cc8d9ce5191a9b7c5254a85742df23cf4
Instruction Fuzzy Hash: FA919C756082019FD720DF19C888F1ABBE5EF85318F1485A9F469CB6A2C734ED41CF92

Function 00908CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00908CF3

Part of subcall function 008E8E54: _wcslen.LIBCMT ref: 008E8E77

_wcslen.LIBCMT ref: 00908D4E
_wcslen.LIBCMT ref: 00908D9C
_wcslen.LIBCMT ref: 00908DDC
_wcslen.LIBCMT ref: 00908E6E

Strings

none, xrefs: 00908E65, 00908E6A
cdecl, xrefs: 00908D48, 00908D4D
stdcall, xrefs: 00908DD6, 00908DDB
winapi, xrefs: 00908D96, 00908D9B

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: e90fdadc690d3d8522e8107db12db2ba7e26cc6b74d129449e5ea4214b8d020c
Instruction ID: c731d1378ba486d69c4d334ce7213fde2ee7f5da686464324c4df200772787d1
Opcode Fuzzy Hash: e90fdadc690d3d8522e8107db12db2ba7e26cc6b74d129449e5ea4214b8d020c
Instruction Fuzzy Hash: E9519E32A005169ECF24EF6CC9409BFB7AABF65724B254629E4A6E72C0DB30DD40C791

Function 0090372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00903774
CoUninitialize.OLE32 ref: 0090377F
CoCreateInstance.OLE32(?,00000000,00000017,0091FB78,?), ref: 009037D9
IIDFromString.OLE32(?,?), ref: 0090384C
VariantInit.OLEAUT32(?), ref: 009038E4
VariantClear.OLEAUT32(?), ref: 00903936

Strings

Failed to create object, xrefs: 009037E4, 0090389A
Invalid parameter, xrefs: 00903865
NULL Pointer assignment, xrefs: 0090381E

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: c435b2f2fded819d28a348210c7052d060051eb2950298ee547e3c00adaae369
Instruction ID: 56498e29ce1a667df6d40c47cac5c470a7059a703177730a2d54f2393d65918c
Opcode Fuzzy Hash: c435b2f2fded819d28a348210c7052d060051eb2950298ee547e3c00adaae369
Instruction Fuzzy Hash: E1619FB0608301AFD310DF64C889F6AB7E8FF89714F148949F9959B291D770EE48CB92

Function 008F3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008F33CF

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008F33F0

Strings

Incorrect parameters to object property !, xrefs: 008F34AB
^ ERROR , xrefs: 008F349E
"%s" (%d) : ==> %s:%s%s, xrefs: 008F3504
"%s" (%d) : ==> %s:, xrefs: 008F3522
Line %d (File "%s"):, xrefs: 008F3443, 008F345C
Error: , xrefs: 008F34D1

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 992cb11f995f63d5117e9d88bea9803a8e06ac1c369a0aa51882360bc7097a83
Instruction ID: 8eb5a71031b9ec8a9da435fe0887b54c60064567f0a65b994cc224b25356c964
Opcode Fuzzy Hash: 992cb11f995f63d5117e9d88bea9803a8e06ac1c369a0aa51882360bc7097a83
Instruction Fuzzy Hash: 0751667290020AAADF14EBA4DD46EFEB778FF59344F144065F105B20A2EB316F58DB62

Function 008EB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008EB5FC
_wcslen.LIBCMT ref: 008EB608
_wcslen.LIBCMT ref: 008EB64D
_wcslen.LIBCMT ref: 008EB68C
_wcslen.LIBCMT ref: 008EB6C7

Strings

REMOVE, xrefs: 008EB602, 008EB607
APPEND, xrefs: 008EB6C1, 008EB6C6
KEYS, xrefs: 008EB647, 008EB64C
EXISTS, xrefs: 008EB686, 008EB68B

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: f9c993c1f80b908fe5da71d2cf03f552a1d8a0630e32af35bc5d3fe22bbc9d94
Instruction ID: 9ff66d5c245e8cf05238c49be99afa34e6ee9066c553b34ecac62881b24ea287
Opcode Fuzzy Hash: f9c993c1f80b908fe5da71d2cf03f552a1d8a0630e32af35bc5d3fe22bbc9d94
Instruction Fuzzy Hash: CD41C772A041679BCB206F7E8C905BFBBA5FBB2754B244129E461D72A4F731CD81C790

Function 008F5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008F53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 008F5416
GetLastError.KERNEL32 ref: 008F5420
SetErrorMode.KERNEL32(00000000,READY), ref: 008F54A7

Strings

INVALID, xrefs: 008F5459
READY, xrefs: 008F5460, 008F5468
READONLY, xrefs: 008F5452
NOTREADY, xrefs: 008F544B
UNKNOWN, xrefs: 008F5444

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: fb6ebffdb5bfc48c99c21512e65bed7d93d9e42c88bb5b7611a6f0392de14572
Instruction ID: aede291c979f0d1050ca90a140ebc56cf6d3a936f2659332e7223101d1622e01
Opcode Fuzzy Hash: fb6ebffdb5bfc48c99c21512e65bed7d93d9e42c88bb5b7611a6f0392de14572
Instruction Fuzzy Hash: C23191B5A046099FC710DF68C884ABABBB4FB15305F148069E605DB292D731DD86CBA1

Function 00913C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00913C79
SetMenu.USER32(?,00000000), ref: 00913C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00913D10
IsMenu.USER32(?), ref: 00913D24
CreatePopupMenu.USER32 ref: 00913D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00913D5B
DrawMenuBar.USER32 ref: 00913D63

Strings

F, xrefs: 00913D4E
0, xrefs: 00913C54

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 54482a6bf649f098a55aa4e7c310559de5d966154c0f60902f0c851da0537640
Instruction ID: 4ae5af75d08841febed1446183c1c7a7de21166f052f178da29335af5eb4d10a
Opcode Fuzzy Hash: 54482a6bf649f098a55aa4e7c310559de5d966154c0f60902f0c851da0537640
Instruction Fuzzy Hash: D8418CB8A05209AFDB14CF64E844ADA77B9FF49314F148028F946973A0D730AA10DB90

Function 008E1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

Part of subcall function 008E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008E3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 008E1F64
GetDlgCtrlID.USER32 ref: 008E1F6F
GetParent.USER32 ref: 008E1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 008E1F8E
GetDlgCtrlID.USER32(?), ref: 008E1F97
GetParent.USER32(?), ref: 008E1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 008E1FAE

Strings

ComboBox, xrefs: 008E1EEC
ListBox, xrefs: 008E1F21

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 24eeb31f288d8fc4cc8d6feac1725685e18dea4f9f69351053d565a273bbc2a8
Instruction ID: e79343c24a870e38874e58026216afa41e006be338bd5c4804a19ee8e1e5a42d
Opcode Fuzzy Hash: 24eeb31f288d8fc4cc8d6feac1725685e18dea4f9f69351053d565a273bbc2a8
Instruction Fuzzy Hash: DE21C270A40214BFCF04AFA5DC89DFEBBB8FF06354B104115F961A7291DB359904DBA0

Function 008E1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

Part of subcall function 008E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008E3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 008E2043
GetDlgCtrlID.USER32 ref: 008E204E
GetParent.USER32 ref: 008E206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 008E206D
GetDlgCtrlID.USER32(?), ref: 008E2076
GetParent.USER32(?), ref: 008E208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 008E208D

Strings

ComboBox, xrefs: 008E1FCD
ListBox, xrefs: 008E2002

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 52fd04e0f1b040ba56bf3dc1ddcef5b99270e830b00b428f34502c0a0d894f8d
Instruction ID: 8051c5581a75ea5583e931331f6612bb097fa8bbd87e36854e02a200af4b5d53
Opcode Fuzzy Hash: 52fd04e0f1b040ba56bf3dc1ddcef5b99270e830b00b428f34502c0a0d894f8d
Instruction Fuzzy Hash: 6A21CFB1A40218BFCF11AFA5CC85EFEBBB8FF0A344F104015F991A71A1DA758914DB60

Function 00913A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00913A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00913AA0
GetWindowLongW.USER32(?,000000F0), ref: 00913AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00913AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00913B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00913BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00913BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00913BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00913BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00913C13

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 7da75ff177b7aae8fc39744ca65fc9cca9284b1ec6cf282eee5388d206f57d45
Instruction ID: 201f7018c45f08435cfeb111275fdaffc92e8616f275a4813c428defa1692a7c
Opcode Fuzzy Hash: 7da75ff177b7aae8fc39744ca65fc9cca9284b1ec6cf282eee5388d206f57d45
Instruction Fuzzy Hash: 01618975A00208AFDB20DFA8CC81FEE77B8EB49714F104099FA15E72A1D774AE85DB50

Function 008EB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008EB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,008EA1E1,?,00000001), ref: 008EB165
GetWindowThreadProcessId.USER32(00000000), ref: 008EB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008EA1E1,?,00000001), ref: 008EB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 008EB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,008EA1E1,?,00000001), ref: 008EB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008EA1E1,?,00000001), ref: 008EB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,008EA1E1,?,00000001), ref: 008EB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,008EA1E1,?,00000001), ref: 008EB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,008EA1E1,?,00000001), ref: 008EB21D

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: af2c79e0e7f99a1fc1e021c15991e8a1745b71e4f4e4f2634019c98c21f316ac
Instruction ID: 78b015e0c381c4fe2e05893eee211b1f311cb0fdde27bb4524dad0cf9c41de21
Opcode Fuzzy Hash: af2c79e0e7f99a1fc1e021c15991e8a1745b71e4f4e4f2634019c98c21f316ac
Instruction Fuzzy Hash: 1431A9B5668344BFDB109F26DC48BAE7BA9FF523A2F108009FA00D6190D7B49A00DF64

Function 008B2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008B2C94

Part of subcall function 008B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000), ref: 008B29DE
Part of subcall function 008B29C8: GetLastError.KERNEL32(00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000,00000000), ref: 008B29F0

_free.LIBCMT ref: 008B2CA0
_free.LIBCMT ref: 008B2CAB
_free.LIBCMT ref: 008B2CB6
_free.LIBCMT ref: 008B2CC1
_free.LIBCMT ref: 008B2CCC
_free.LIBCMT ref: 008B2CD7
_free.LIBCMT ref: 008B2CE2
_free.LIBCMT ref: 008B2CED
_free.LIBCMT ref: 008B2CFB

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7782dd5c82580a8bed776dbce9ece1505cec16cb73ae0098da5a05c5ae6c7c81
Instruction ID: 85b8f11fa52c12336e2807cb1877395401715c35b398539a8f0add1f1a2ac2ff
Opcode Fuzzy Hash: 7782dd5c82580a8bed776dbce9ece1505cec16cb73ae0098da5a05c5ae6c7c81
Instruction Fuzzy Hash: A0116376500108BFCB02EF58D982DDD3FA9FF09350F5149A5FA489B322DA31EA549B91

Function 008F7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008F7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 008F7FC1
GetFileAttributesW.KERNEL32(?), ref: 008F7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 008F8005
SetCurrentDirectoryW.KERNEL32(?), ref: 008F8017
SetCurrentDirectoryW.KERNEL32(?), ref: 008F8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008F80B0

Strings

*.*, xrefs: 008F8066

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 2cf42e416e6d3c7c5e59c0e5e61b69b592a65e8fb3a611f7bd1f505e85d146a9
Instruction ID: 7ccbdd119453a04372860d185963f359f1b5a0674204cf99b02cd8741b52f0de
Opcode Fuzzy Hash: 2cf42e416e6d3c7c5e59c0e5e61b69b592a65e8fb3a611f7bd1f505e85d146a9
Instruction Fuzzy Hash: 2981A0715082499BEB20EF28C8449BEB3E8FF89714F54486EFA85C7250EB74DD45CB52

Function 00885BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00885C7A

Part of subcall function 00885D0A: GetClientRect.USER32(?,?), ref: 00885D30
Part of subcall function 00885D0A: GetWindowRect.USER32(?,?), ref: 00885D71
Part of subcall function 00885D0A: ScreenToClient.USER32(?,?), ref: 00885D99

GetDC.USER32 ref: 008C46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 008C4708
SelectObject.GDI32(00000000,00000000), ref: 008C4716
SelectObject.GDI32(00000000,00000000), ref: 008C472B
ReleaseDC.USER32(?,00000000), ref: 008C4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008C47C4

Strings

U, xrefs: 008C4693

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: e820d75cce9b82ae03217d4b662635c754a0c42c7472b92b3edbcc052eb83abd
Instruction ID: 28a1ba7f4a50442e6b3a9b4e991f32512952aea60fffc8346030c3f5928999ae
Opcode Fuzzy Hash: e820d75cce9b82ae03217d4b662635c754a0c42c7472b92b3edbcc052eb83abd
Instruction Fuzzy Hash: C971DE30500209DFCF219F64C994FEA3BB2FF4A364F245269ED559A2AAC730C881EF50

Function 008F359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008F35E4

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

LoadStringW.USER32(00952390,?,00000FFF,?), ref: 008F360A

Strings

^ ERROR, xrefs: 008F36C9
"%s" (%d) : ==> %s:%s%s, xrefs: 008F3724
"%s" (%d) : ==> %s:, xrefs: 008F3742
Line %d (File "%s"):, xrefs: 008F366B
Error: , xrefs: 008F36EF

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 24e9499eff2cbe4f86f2e0d5491518e9a8148e4c3469a497300bfb30b5df1484
Instruction ID: cf6d93c7bc8e7b27446ce3fea8fc130873b1438dd428fc373a46e7e1d7ce683c
Opcode Fuzzy Hash: 24e9499eff2cbe4f86f2e0d5491518e9a8148e4c3469a497300bfb30b5df1484
Instruction Fuzzy Hash: 33515D7190020AAADF14FBA4DC42EFEBB79FF15304F144125F205B21A1EB315B99DBA2

Function 008FC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008FC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008FC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008FC2CA
GetLastError.KERNEL32 ref: 008FC322
SetEvent.KERNEL32(?), ref: 008FC336
InternetCloseHandle.WININET(00000000), ref: 008FC341

Strings

, xrefs: 008FC2BB

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 92c061ef663faf2e9ebe365fdc75123e84dcb803ed993cc2c356f95571252591
Instruction ID: 3df081a4aea1b67d5bd404e9cc825177db62ae735071cc9059b4b87dcfd60db3
Opcode Fuzzy Hash: 92c061ef663faf2e9ebe365fdc75123e84dcb803ed993cc2c356f95571252591
Instruction Fuzzy Hash: 66316BB164460CAFD7219FB48A88ABB7AFCFB49784B14851EF546D2240DB70DE04DB61

Function 008E989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,008C3AAF,?,?,Bad directive syntax error,0091CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008E98BC
LoadStringW.USER32(00000000,?,008C3AAF,?), ref: 008E98C3

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 008E9987

Strings

Line %d:, xrefs: 008E9912
%s (%d) : ==> %s.: %s %s, xrefs: 008E98F1
Line %d (File "%s"):, xrefs: 008E992D
Error: , xrefs: 008E9955
., xrefs: 008E996D

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 8b363128e1d08353a77a26578aa3dc49cc24973a5ad2165d62d4b0a3cff0039d
Instruction ID: f11b5022ea7f442f6f90a754a1633129811ee53b97f2aaba43c797488220fbe2
Opcode Fuzzy Hash: 8b363128e1d08353a77a26578aa3dc49cc24973a5ad2165d62d4b0a3cff0039d
Instruction Fuzzy Hash: 3E218D7294021EABCF15BF94CC0AEEE7739FF19704F084469F515A20A2EB719A18DB52

Function 008E209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008E20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008E20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008E214D

Strings

smallicons, xrefs: 008E2115
details, xrefs: 008E20FB
list, xrefs: 008E212F
largeicons, xrefs: 008E20E1
SHELLDLL_DefView, xrefs: 008E20CC

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 3d8f85d2ed03b7850e4beb64709543c1924c240e00bcaa530e5f4592d9314590
Instruction ID: 2f5c04c10b4c380bcbbd94135406085ceb952428dde7e6da70bfde5faf09302a
Opcode Fuzzy Hash: 3d8f85d2ed03b7850e4beb64709543c1924c240e00bcaa530e5f4592d9314590
Instruction Fuzzy Hash: 071106766C871BBAFB016225EC06DE6379CEB47328B210016FB04E50E2FAA1B9416615

Function 008B8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb045a0ba201d2ee6427f9e78765929373c8d05eb0dc5adfe88cbb7beda38bac
Instruction ID: c036d37d4a291333c2c4207b7ab5d02a445cbdeb9452773cff01cd517f37d65b
Opcode Fuzzy Hash: cb045a0ba201d2ee6427f9e78765929373c8d05eb0dc5adfe88cbb7beda38bac
Instruction Fuzzy Hash: ACC1BF74A04249EFDB11AFACD841BEDBBB4FF4A310F144199EA54E7392CB309942CB61

Function 008BCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 008BCEB7
_free.LIBCMT ref: 008BCF22
_free.LIBCMT ref: 008BCF48
_free.LIBCMT ref: 008BCF71
_free.LIBCMT ref: 008BCFA9
_free.LIBCMT ref: 008BCFDA
_free.LIBCMT ref: 008BD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 008BD09C
_free.LIBCMT ref: 008BD0B5

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 398f9d06ebcae83766c8fd786388136e77945fc607562d2d2be775c4f2122bb6
Instruction ID: df9b83d3a1e8758db7165cbfe8dd7202d24046b4b94ab2498bd1ec1b0e800714
Opcode Fuzzy Hash: 398f9d06ebcae83766c8fd786388136e77945fc607562d2d2be775c4f2122bb6
Instruction Fuzzy Hash: FC612571A08305AFDB21AFB89882AFE7BA5FF05320F0441ADF944D7382EB719D019751

Function 009150D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00915186
ShowWindow.USER32(?,00000000), ref: 009151C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 009151CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 009151D1

Part of subcall function 00916FBA: DeleteObject.GDI32(00000000), ref: 00916FE6

GetWindowLongW.USER32(?,000000F0), ref: 0091520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0091521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0091524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00915287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00915296

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 55c31e24978e06fd11a0ccc6ec8661bc154cfeb507fc17391f9c363d8b4f0e39
Instruction ID: 38bd0b1a4603756b5e4bdf75d8a44764b5ce70bd94efa56af5ce454f978eb4c5
Opcode Fuzzy Hash: 55c31e24978e06fd11a0ccc6ec8661bc154cfeb507fc17391f9c363d8b4f0e39
Instruction Fuzzy Hash: 36519E71BA8A0CFEEF219F28CC45BD83B69EB85361F168411F525962E0C7B599C0DB41

Function 00898B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 008D6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008D68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008D68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008D68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008D68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00898874,00000000,00000000,00000000,000000FF,00000000), ref: 008D6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 008D691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00898874,00000000,00000000,00000000,000000FF,00000000), ref: 008D692D

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: e7ad3d90d9713e23fbb5a2ceafb59ee1ed43c41c35cd97ff527b41a4645ccd5c
Instruction ID: fac03f4d89618e9a2447bf50f7da5eedaea4efd7b469c24d7e59d916730e006f
Opcode Fuzzy Hash: e7ad3d90d9713e23fbb5a2ceafb59ee1ed43c41c35cd97ff527b41a4645ccd5c
Instruction Fuzzy Hash: 3D518AB061020AEFDB20DF25CC55FAA7BB5FB44364F184619F952D72A0EB70E990EB40

Function 008FC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008FC182
GetLastError.KERNEL32 ref: 008FC195
SetEvent.KERNEL32(?), ref: 008FC1A9

Part of subcall function 008FC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008FC272
Part of subcall function 008FC253: GetLastError.KERNEL32 ref: 008FC322
Part of subcall function 008FC253: SetEvent.KERNEL32(?), ref: 008FC336
Part of subcall function 008FC253: InternetCloseHandle.WININET(00000000), ref: 008FC341

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 0971cceb4f31f5c048f4a7b33ef39a6c62a89c9efd1e8fdc2f3181d822742cb8
Instruction ID: f37fcc8a553737ec65c25b3ecc9e14d5402b544437127db37d8d2a2cfe350f60
Opcode Fuzzy Hash: 0971cceb4f31f5c048f4a7b33ef39a6c62a89c9efd1e8fdc2f3181d822742cb8
Instruction Fuzzy Hash: 303190B164460DAFDB219FB5DE44AB6BBF8FF18300B14841DFA56C2611DB31EA14EB60

Function 008E25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 008E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008E3A57
Part of subcall function 008E3A3D: GetCurrentThreadId.KERNEL32 ref: 008E3A5E
Part of subcall function 008E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008E25B3), ref: 008E3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008E25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008E25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008E25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008E25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 008E2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 008E2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 008E260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 008E2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 008E2627

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: bb53f3ff5fb517834191d4a606408aabc8989bf3c636c8763368e819f0643257
Instruction ID: dc653eac3cac58e7ee50b1bf67b3e3e92af157b8ee984ee2029dc89cf5438497
Opcode Fuzzy Hash: bb53f3ff5fb517834191d4a606408aabc8989bf3c636c8763368e819f0643257
Instruction Fuzzy Hash: 3D01B5703D8764BBFB1067699C8AF993E59EB4AB51F104011F318AF0D1C9E11444DA6A

Function 008E1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,008E1449,?,?,00000000), ref: 008E180C
HeapAlloc.KERNEL32(00000000,?,008E1449,?,?,00000000), ref: 008E1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008E1449,?,?,00000000), ref: 008E1828
GetCurrentProcess.KERNEL32(?,00000000,?,008E1449,?,?,00000000), ref: 008E1830
DuplicateHandle.KERNEL32(00000000,?,008E1449,?,?,00000000), ref: 008E1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008E1449,?,?,00000000), ref: 008E1843
GetCurrentProcess.KERNEL32(008E1449,00000000,?,008E1449,?,?,00000000), ref: 008E184B
DuplicateHandle.KERNEL32(00000000,?,008E1449,?,?,00000000), ref: 008E184E
CreateThread.KERNEL32(00000000,00000000,008E1874,00000000,00000000,00000000), ref: 008E1868

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: b9ea663ff0550438e786e4e1cc82d5f1a954e513ce0d8a197c64b75e22627b41
Instruction ID: 9e2b5cec00b67fa698f2b4675f71654e135717689b4b3f4a64562b837ae3425f
Opcode Fuzzy Hash: b9ea663ff0550438e786e4e1cc82d5f1a954e513ce0d8a197c64b75e22627b41
Instruction Fuzzy Hash: 4E01BFB53D4344BFE710AB65DC4DF977B6CEB89B11F408411FA05DB191C6749800DB20

Function 0090A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 008ED4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 008ED501
Part of subcall function 008ED4DC: Process32FirstW.KERNEL32(00000000,?), ref: 008ED50F
Part of subcall function 008ED4DC: CloseHandle.KERNELBASE(00000000), ref: 008ED5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0090A16D
GetLastError.KERNEL32 ref: 0090A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0090A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0090A268
GetLastError.KERNEL32(00000000), ref: 0090A273
CloseHandle.KERNEL32(00000000), ref: 0090A2C4

Strings

SeDebugPrivilege, xrefs: 0090A18F

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: bdd71cf34c7a17323546300eab7d9c5b48198b4c167cc9297c950176f29272b1
Instruction ID: 4fbd44190a0307e1490bb5fa95e37ba1b4357eaacbb6463a344a24b98efaee37
Opcode Fuzzy Hash: bdd71cf34c7a17323546300eab7d9c5b48198b4c167cc9297c950176f29272b1
Instruction Fuzzy Hash: AE617970208342AFD720DF19C894F26BBA5AF54318F18849CE4668B7A3C776ED45CBD2

Function 00913886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00913925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0091393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00913954
_wcslen.LIBCMT ref: 00913999
SendMessageW.USER32(?,00001057,00000000,?), ref: 009139C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009139F4

Strings

SysListView32, xrefs: 009138F7

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 2843b1d5c99d078dbdb07284f33ed361fd6d672b953293ff5adcfbd4d507d0de
Instruction ID: 9cc6c8f91a137bd40ce5f7234134eca24bbc428af6e6799965c3571117ac854a
Opcode Fuzzy Hash: 2843b1d5c99d078dbdb07284f33ed361fd6d672b953293ff5adcfbd4d507d0de
Instruction Fuzzy Hash: 5841AE71A0021DABEF219F64CC49BEA7BB9EF48354F104566F958E7281D7B19A80CB90

Function 008EBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008EBCFD
IsMenu.USER32(00000000), ref: 008EBD1D
CreatePopupMenu.USER32 ref: 008EBD53
GetMenuItemCount.USER32(00AD5768), ref: 008EBDA4
InsertMenuItemW.USER32(00AD5768,?,00000001,00000030), ref: 008EBDCC

Strings

2, xrefs: 008EBD37
0, xrefs: 008EBCA8

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 98c1288cb7a2a94254f277fd1d1f31f745289949c01e334b3b012a2bd863a12a
Instruction ID: 6c171caab3e8bbf1a7c98bde6252936c22f78de25e6197fbfab4bb1ad88bff7f
Opcode Fuzzy Hash: 98c1288cb7a2a94254f277fd1d1f31f745289949c01e334b3b012a2bd863a12a
Instruction Fuzzy Hash: C3519E70B04289ABDB20CFAADC84BAFBBF5FF46314F148119E411D7290D7709941CB51

Function 008EC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 008EC913

Strings

warning, xrefs: 008EC8FC
question, xrefs: 008EC8CC
stop, xrefs: 008EC8E4
blank, xrefs: 008EC895
info, xrefs: 008EC8B4

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 8685fbc4f32f8b6702556c08395822fba6fa04028c4808f30b707dde6816918c
Instruction ID: fb87b74eb52b7fec3ce87f93729bcdc9afba0c1c3e201905a30246213cd5dc22
Opcode Fuzzy Hash: 8685fbc4f32f8b6702556c08395822fba6fa04028c4808f30b707dde6816918c
Instruction Fuzzy Hash: E1110071B8935ABAF7016B599C83CAE6B9CFF57358B10003AF500E62D3D7B46D015265

Function 008EDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008EDE42
gethostname.WSOCK32(?,00000100), ref: 008EDE5C
gethostbyname.WSOCK32(?), ref: 008EDE69
inet_ntoa.WSOCK32(?), ref: 008EDEAB
_strcat.LIBCMT ref: 008EDEB9
WSACleanup.WSOCK32 ref: 008EDEDE

Strings

0.0.0.0, xrefs: 008EDE87

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 8bebad778d4a33d7efc63d8f624322912c9b4e1d96dab2b1cf9b814d8a15cd49
Instruction ID: 9880c0299bf93c7b7d3008490f36034dd3baf441395d25e93b00d5368f562959
Opcode Fuzzy Hash: 8bebad778d4a33d7efc63d8f624322912c9b4e1d96dab2b1cf9b814d8a15cd49
Instruction Fuzzy Hash: 57115C71A04209AFDB206B75DC4EDEF37ACFF52310F0401A9F445DA091EFB08A84DA61

Function 00919F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2

GetSystemMetrics.USER32(0000000F), ref: 00919FC7
GetSystemMetrics.USER32(0000000F), ref: 00919FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0091A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0091A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0091A263
ShowWindow.USER32(00000003,00000000), ref: 0091A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0091A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0091A2CA

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 2667edecfe1492ca5bdc8ba070c8ad407eaf2aed5a5c1d83f28c94d22426eb33
Instruction ID: 4a535dd14d903870a5eb11c4aac7d15dc166493ca49bbbfdca1269850dd4dea4
Opcode Fuzzy Hash: 2667edecfe1492ca5bdc8ba070c8ad407eaf2aed5a5c1d83f28c94d22426eb33
Instruction Fuzzy Hash: ADB1A731605219AFDF14CF68C9857EE3BF6BF48711F088069EC99AB295D731AD80CB61

Function 008EED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 008EED2A
_wcslen.LIBCMT ref: 008EED3B
_wcslen.LIBCMT ref: 008EED79
_wcslen.LIBCMT ref: 008EEDAF
_wcslen.LIBCMT ref: 008EEDDF
_wcslen.LIBCMT ref: 008EEDEF
_wcslen.LIBCMT ref: 008EEE2B
_wcslen.LIBCMT ref: 008EEE5A

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: f2680aacbdc2e3135b150bdd0373e0266c10186d2547317028a6656a099266d6
Instruction ID: 8487cd7ff9666c8ba06f84ba5af9c654ab75ae1d1241d2d3c4d5396227579697
Opcode Fuzzy Hash: f2680aacbdc2e3135b150bdd0373e0266c10186d2547317028a6656a099266d6
Instruction Fuzzy Hash: DB419065D10258A5DB11EBF88C8AACFB7ACFF46310F548462E518E3921FB34E255C3A6

Function 0089F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,008D682C,00000004,00000000,00000000), ref: 0089F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,008D682C,00000004,00000000,00000000), ref: 008DF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,008D682C,00000004,00000000,00000000), ref: 008DF454

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: eebbb6f2d96db1e7c64671de860d83808b09b93757f88a6b7fb9a22eea5c10a6
Instruction ID: 7352cf7dd0e33a7e88850954f28038245ff9a6a44e21af10898c0b3c113f7b13
Opcode Fuzzy Hash: eebbb6f2d96db1e7c64671de860d83808b09b93757f88a6b7fb9a22eea5c10a6
Instruction Fuzzy Hash: 5441D831618640BECF3DAB29888876A7F92FB56314F1C853DF347D6663C6719880EB51

Function 00912D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00912D1B
GetDC.USER32(00000000), ref: 00912D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00912D2E
ReleaseDC.USER32(00000000,00000000), ref: 00912D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00912D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00912D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00915A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00912DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00912DE1

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 30e6bb01a8a13ce1510daa304af84854fc35d9e468118915ff2866960068f5f3
Instruction ID: 2c926678c8becd66e4188e9b2845a48d6f6070e5ecf241fb935fab74668b570b
Opcode Fuzzy Hash: 30e6bb01a8a13ce1510daa304af84854fc35d9e468118915ff2866960068f5f3
Instruction Fuzzy Hash: FE319CB6355214BFEB118F50DC8AFEB3BADEF09751F048055FE089A291C6759C50CBA4

Function 008E5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008E5637
_memcmp.LIBVCRUNTIME ref: 008E5659
_memcmp.LIBVCRUNTIME ref: 008E5671
_memcmp.LIBVCRUNTIME ref: 008E5684
_memcmp.LIBVCRUNTIME ref: 008E569E
_memcmp.LIBVCRUNTIME ref: 008E56B1
_memcmp.LIBVCRUNTIME ref: 008E56C9
_memcmp.LIBVCRUNTIME ref: 008E56E4

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 003cc3f45c4474b73674081423167c19163f1e2c96205fe881eaa20b5b7485fa
Instruction ID: 45d420c0cdfe983355c83f4ac37981601fd6e70d157447a3df64c002d7aab94d
Opcode Fuzzy Hash: 003cc3f45c4474b73674081423167c19163f1e2c96205fe881eaa20b5b7485fa
Instruction Fuzzy Hash: BE218361740A4D7BEA149A268EA2FFB235CFE7338CF440020FD05DAA91F764ED1081E6

Function 00904FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00905007
NULL Pointer assignment, xrefs: 0090502E, 00905383

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 0b380846afe48b1c9983e2092637987c9653f5af0f83452fa29584d8fc415d65
Instruction ID: 086521a3b42feaa0cca6094582e7c6069f97a38efa9690e9416e6e531dcbc34e
Opcode Fuzzy Hash: 0b380846afe48b1c9983e2092637987c9653f5af0f83452fa29584d8fc415d65
Instruction Fuzzy Hash: CBD19C75A0060AAFDF10CFA8C881BAEB7B9BF48344F158469E915EB281E770DD45CF90

Function 008C1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 008C15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 008C1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008C16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 008C16FB

Part of subcall function 008B3820: RtlAllocateHeap.NTDLL(00000000,?,00951444,?,0089FDF5,?,?,0088A976,00000010,00951440,008813FC,?,008813C6,?,00881129), ref: 008B3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008C1777
__freea.LIBCMT ref: 008C17A2
__freea.LIBCMT ref: 008C17AE

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: d8252f6235572a5a6623ea893313a3103cb7d6f24587a6f1796fecaa20ec1e9b
Instruction ID: 280ec67160db8995b474d38e7e39f8fffc2adae1c2972487598ceb5788753b4c
Opcode Fuzzy Hash: d8252f6235572a5a6623ea893313a3103cb7d6f24587a6f1796fecaa20ec1e9b
Instruction Fuzzy Hash: 61918071E1021A9ADF208E64C8D9FEE7BB5FB4A714F18465DE801E7246DB35DC40CBA1

Function 00904523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00904648
VariantInit.OLEAUT32(?), ref: 00904749
VariantClear.OLEAUT32(?), ref: 00904753
VariantClear.OLEAUT32(?), ref: 009047B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 009045D8, 00904706, 009047BE
Incorrect Object type in FOR..IN loop, xrefs: 0090472C

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 37381d02cb12c770701fadc0273f1fa6c026428447406aeaf2b7dc20d27e2be6
Instruction ID: 161098bd75b8b8f2a75786207837900c73e1fa8386630af87d86a31ba2ad93aa
Opcode Fuzzy Hash: 37381d02cb12c770701fadc0273f1fa6c026428447406aeaf2b7dc20d27e2be6
Instruction Fuzzy Hash: 4D917DB1A04219AFDF24CFA5CC84FAEBBB8EF46714F108559F615AB281D7709941CFA0

Function 008F1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 008F125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 008F1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008F12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008F12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008F135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008F13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008F1430

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: e9ae7d091ae6f5e7c8c0c232e206e8bb9981038ed7ddd12492d206ef29734d5b
Instruction ID: 623d55d6fcf91dea3feddb88a899e9274f4b92e01d3ef5879cdec7e2c99a0ca2
Opcode Fuzzy Hash: e9ae7d091ae6f5e7c8c0c232e206e8bb9981038ed7ddd12492d206ef29734d5b
Instruction Fuzzy Hash: B6918B71A0021DEFDB01DFA8C888BBEB7B5FF45325F144029EA10EB292D774A941CB95

Function 0089948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 1f4648a862592f7793d5a8cb8f67abc4e44c01716536f167bce07d1056c40d1d
Instruction ID: 421bc29e73036f6f6c5da00a7249c0039c44f28c480323b2e05df5fa81ad36f3
Opcode Fuzzy Hash: 1f4648a862592f7793d5a8cb8f67abc4e44c01716536f167bce07d1056c40d1d
Instruction Fuzzy Hash: 51913471A44219AFCF15DFA9CC84AEEBBB8FF49320F18814AE555F7251D334AA41CB60

Function 00903947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0090396B
CharUpperBuffW.USER32(?,?), ref: 00903A7A
_wcslen.LIBCMT ref: 00903A8A
VariantClear.OLEAUT32(?), ref: 00903C1F

Part of subcall function 008F0CDF: VariantInit.OLEAUT32(00000000), ref: 008F0D1F
Part of subcall function 008F0CDF: VariantCopy.OLEAUT32(?,?), ref: 008F0D28
Part of subcall function 008F0CDF: VariantClear.OLEAUT32(?), ref: 008F0D34

Strings

Incorrect Parameter format, xrefs: 009039A6, 00903BA1
AUTOIT.ERROR, xrefs: 00903A80, 00903A85

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 932c6af1c895980869c059bfe773a20bd3940d08f1a8e9525473ada6d865d940
Instruction ID: 355466708d89315a95fc3ffbae7ef31d532bcd26ab81fec199cfc4cb94962fbc
Opcode Fuzzy Hash: 932c6af1c895980869c059bfe773a20bd3940d08f1a8e9525473ada6d865d940
Instruction Fuzzy Hash: 989136756083059FC714EF68C48096AB7E9FF89314F14882DF89997391DB31EE45CB92

Function 00904BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 008E000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,008DFF41,80070057,?,?,?,008E035E), ref: 008E002B
Part of subcall function 008E000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008DFF41,80070057,?,?), ref: 008E0046
Part of subcall function 008E000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008DFF41,80070057,?,?), ref: 008E0054
Part of subcall function 008E000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008DFF41,80070057,?), ref: 008E0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00904C51
_wcslen.LIBCMT ref: 00904D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00904DCF
CoTaskMemFree.OLE32(?), ref: 00904DDA

Strings

NULL Pointer assignment, xrefs: 00904E23, 00904E52

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a1c5043b1fc39cfb2e642b3b69b2db73b3e47d50dc00ffcff1e2c8c2dcb0333c
Instruction ID: c591d929e55709f8847dd8e7b290458599a9ab73437cb0fb9f1d25bfd3cd7aa8
Opcode Fuzzy Hash: a1c5043b1fc39cfb2e642b3b69b2db73b3e47d50dc00ffcff1e2c8c2dcb0333c
Instruction Fuzzy Hash: EF9108B1D0021D9FDF14DFA4C891AEDB7B8FF48310F108569E515A7291EB74AA44CFA1

Function 009120FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00912183
GetMenuItemCount.USER32(00000000), ref: 009121B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009121DD
_wcslen.LIBCMT ref: 00912213
GetMenuItemID.USER32(?,?), ref: 0091224D
GetSubMenu.USER32(?,?), ref: 0091225B

Part of subcall function 008E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008E3A57
Part of subcall function 008E3A3D: GetCurrentThreadId.KERNEL32 ref: 008E3A5E
Part of subcall function 008E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008E25B3), ref: 008E3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009122E3

Part of subcall function 008EE97B: Sleep.KERNEL32 ref: 008EE9F3

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: c279a733e4e0517cc01fd4ac093ae369c5a1df5f20aec2b5054e3542d61b3423
Instruction ID: 0b6043b221e3dd7a7d0bfab5b0de1ba1fe4ec2169033e3dbb6d8eac57923494b
Opcode Fuzzy Hash: c279a733e4e0517cc01fd4ac093ae369c5a1df5f20aec2b5054e3542d61b3423
Instruction Fuzzy Hash: 01718D75A04209AFCB14EF68C841AEEB7F5FF48310F148858E926EB351DB34AD918B91

Function 00917E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00AD56F0), ref: 00917F37
IsWindowEnabled.USER32(00AD56F0), ref: 00917F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0091801E
SendMessageW.USER32(00AD56F0,000000B0,?,?), ref: 00918051
IsDlgButtonChecked.USER32(?,?), ref: 00918089
GetWindowLongW.USER32(00AD56F0,000000EC), ref: 009180AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009180C3

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: e9291c0a4577eba8fc4534b2be46b7c1beebfb293bb78273462cd70b97989f20
Instruction ID: a18f3333f46b42bacd87f913a2a39c62b12369f24013f3e118faf351707108cd
Opcode Fuzzy Hash: e9291c0a4577eba8fc4534b2be46b7c1beebfb293bb78273462cd70b97989f20
Instruction Fuzzy Hash: 4671907470820AAFEB219FA4C894FEBBBB9EF09340F144459E94597361CB31AC86DB10

Function 008EAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 008EAEF9
GetKeyboardState.USER32(?), ref: 008EAF0E
SetKeyboardState.USER32(?), ref: 008EAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 008EAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 008EAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 008EAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 008EB020

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5fc4b1a5d89e513d186b13cf50068e5024febe439f31064891f600df02657477
Instruction ID: 1bdc6c9a97950fdf50a8862500e0dc4e40e3ecaba40734e1d8cd40459b65b1c6
Opcode Fuzzy Hash: 5fc4b1a5d89e513d186b13cf50068e5024febe439f31064891f600df02657477
Instruction Fuzzy Hash: F851D2A06047D53DFB3A43758845BBB7EA9AB07704F088489E1E5D54C2C798FC84D752

Function 008EACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 008EAD19
GetKeyboardState.USER32(?), ref: 008EAD2E
SetKeyboardState.USER32(?), ref: 008EAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 008EADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 008EADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008EAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008EAE38

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4c537c798b2d83bfa40bca88b0b24edbf748eedd6b12b326c5860baefe92b741
Instruction ID: ca605b4881d27d2de9bb1eda1834cd1f5b5221efd1eb65bf709dd32c62ce97b9
Opcode Fuzzy Hash: 4c537c798b2d83bfa40bca88b0b24edbf748eedd6b12b326c5860baefe92b741
Instruction Fuzzy Hash: 6F51D6A16047D63DFB3A42658C95BBA7E99FF47B00F088488E1D5D68C2C294FC88D752

Function 008B542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(008C3CD6,?,?,?,?,?,?,?,?,008B5BA3,?,?,008C3CD6,?,?), ref: 008B5470
__fassign.LIBCMT ref: 008B54EB
__fassign.LIBCMT ref: 008B5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,008C3CD6,00000005,00000000,00000000), ref: 008B552C
WriteFile.KERNEL32(?,008C3CD6,00000000,008B5BA3,00000000,?,?,?,?,?,?,?,?,?,008B5BA3,?), ref: 008B554B
WriteFile.KERNEL32(?,?,00000001,008B5BA3,00000000,?,?,?,?,?,?,?,?,?,008B5BA3,?), ref: 008B5584

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 50002bb04ece7f38e2b517dcfe7b1084930c5a64f62aad0f8156088bf44833c6
Instruction ID: be16a165de4fec89cbe64faf855c3d114f47231d48e5cc1a9bbd5642cb690863
Opcode Fuzzy Hash: 50002bb04ece7f38e2b517dcfe7b1084930c5a64f62aad0f8156088bf44833c6
Instruction Fuzzy Hash: EE51C0B0A00649AFDB20CFA8D851BEEBBF9FF09301F14411AE955E7391D6309A45CB60

Function 008A2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 008A2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 008A2D53
_ValidateLocalCookies.LIBCMT ref: 008A2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 008A2E0C
_ValidateLocalCookies.LIBCMT ref: 008A2E61

Strings

csm, xrefs: 008A2DF6

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e2d2a83e25aec50578f3c852dca7cb8c98bafcc8cc8d0b109a2aa7b6027ad002
Instruction ID: bdeae2b925621a8e6464ef1dc121ff0c331058d8658cfa396d7941c473053ece
Opcode Fuzzy Hash: e2d2a83e25aec50578f3c852dca7cb8c98bafcc8cc8d0b109a2aa7b6027ad002
Instruction Fuzzy Hash: 9441A134A0020DABDF20DF6CC845A9EBBB5FF46328F148165E814EBA53D735DA11CB91

Function 009010B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0090304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0090307A
Part of subcall function 0090304E: _wcslen.LIBCMT ref: 0090309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00901112
WSAGetLastError.WSOCK32 ref: 00901121
WSAGetLastError.WSOCK32 ref: 009011C9
closesocket.WSOCK32(00000000), ref: 009011F9

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 56a8a590bb1a58329c27b498e04fd08f4d2d8ac65928e5601cb9bb8ffbd50b2c
Instruction ID: ed8c6b1affde3f21617861577291474a0fdbdfbf4d182faa8dac61ae4055c4d7
Opcode Fuzzy Hash: 56a8a590bb1a58329c27b498e04fd08f4d2d8ac65928e5601cb9bb8ffbd50b2c
Instruction Fuzzy Hash: 3841D071604204AFDB14AF28C884BAABBE9FF85328F148059F9159B2D1C7B4ED41CBE1

Function 008ECF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008EDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008ECF22,?), ref: 008EDDFD

Part of subcall function 008EDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008ECF22,?), ref: 008EDE16

lstrcmpiW.KERNEL32(?,?), ref: 008ECF45
MoveFileW.KERNEL32(?,?), ref: 008ECF7F
_wcslen.LIBCMT ref: 008ED005
_wcslen.LIBCMT ref: 008ED01B
SHFileOperationW.SHELL32(?), ref: 008ED061

Strings

\*.*, xrefs: 008ECFF3

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: f4d585e997198f3f19265a17491b67a589901f7708cc5ad06b82cb84a72ce8b4
Instruction ID: cef18912c166fed3f6be9425f6f82ad94481b6e1a932454ae7c039d1925d3734
Opcode Fuzzy Hash: f4d585e997198f3f19265a17491b67a589901f7708cc5ad06b82cb84a72ce8b4
Instruction Fuzzy Hash: B84163B1D452585FDF12EBA5C981ADEB7B9FF09380F0000E6E505EB141EE74E689CB51

Function 00912DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00912E1C
GetWindowLongW.USER32(?,000000F0), ref: 00912E4F
GetWindowLongW.USER32(?,000000F0), ref: 00912E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00912EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00912EE0
GetWindowLongW.USER32(?,000000F0), ref: 00912EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00912F0B

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 37c66528cee20729561c974b56ec6b5df2dafaefd23046ccb4b6a34916689f93
Instruction ID: 4bb15f93cab3e273994e8c2721b80de6361eb52ae4d3ad1c6014c301e52c35dd
Opcode Fuzzy Hash: 37c66528cee20729561c974b56ec6b5df2dafaefd23046ccb4b6a34916689f93
Instruction Fuzzy Hash: C7311370758259AFDB20DF18EC94FA937E9EB8A751F144164F9118F2B1CB71ACA0EB00

Function 008E7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008E7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008E778F
SysAllocString.OLEAUT32(00000000), ref: 008E7792
SysAllocString.OLEAUT32(?), ref: 008E77B0
SysFreeString.OLEAUT32(?), ref: 008E77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008E77DE
SysAllocString.OLEAUT32(?), ref: 008E77EC

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f433e116d3718659aa4c2ba480dac8463d30c0e321f037fa917f0334a9defbd7
Instruction ID: b24441efce7a6fe3a84a44710a848dd008fc4845563d8e1792cead15522bc019
Opcode Fuzzy Hash: f433e116d3718659aa4c2ba480dac8463d30c0e321f037fa917f0334a9defbd7
Instruction Fuzzy Hash: BF217CB6608219AFDB10AFA9CC88CBB77ACFB0A7647048025BA15DB1A1D670DC42C760

Function 008E77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008E7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008E7868
SysAllocString.OLEAUT32(00000000), ref: 008E786B
SysAllocString.OLEAUT32 ref: 008E788C
SysFreeString.OLEAUT32 ref: 008E7895
StringFromGUID2.OLE32(?,?,00000028), ref: 008E78AF
SysAllocString.OLEAUT32(?), ref: 008E78BD

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: fd4244ec9def0822e44d4d3151a819b04bfeb57e8063057bd149cf406713a838
Instruction ID: 063f5fb67be10ba364a43c54d831662989289b0f62ad898a1ee682098dc3d1bb
Opcode Fuzzy Hash: fd4244ec9def0822e44d4d3151a819b04bfeb57e8063057bd149cf406713a838
Instruction Fuzzy Hash: D1219075608228BFDB10AFA9DC88DAA77ACFB1A3607148135F915CB2A1D670DC41DB68

Function 008F04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008F04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008F052E

Strings

nul, xrefs: 008F0567

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 601fb003617de282218eede845f8a2123d9e307d1ed72eeae8c826919e9c027a
Instruction ID: e25831850b68e961ccb136b2f28f79745828494ade4b2ff4002e9ba1c49a07ff
Opcode Fuzzy Hash: 601fb003617de282218eede845f8a2123d9e307d1ed72eeae8c826919e9c027a
Instruction Fuzzy Hash: 072153B56043099FDB205F79D844AA977A4FF48724F204A19F9A1E62D1D7B0D940DF20

Function 008F05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008F05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008F0601

Strings

nul, xrefs: 008F0639

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 9c691beec3a0d74c2dc52e4c31f954c29d554e190737b2aef6dda97ff33d0bef
Instruction ID: f40f547876bc8813ee5b628349aa5529d918646e30ce63f553cfb59e387c85a9
Opcode Fuzzy Hash: 9c691beec3a0d74c2dc52e4c31f954c29d554e190737b2aef6dda97ff33d0bef
Instruction Fuzzy Hash: C821A6B56043199FDB208F788C04AAA77E4FF95724F204A19FAA1E72D2D7B09860CF10

Function 009140AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0088600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0088604C
Part of subcall function 0088600E: GetStockObject.GDI32(00000011), ref: 00886060
Part of subcall function 0088600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0088606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00914112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0091411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0091412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00914139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00914145

Strings

Msctls_Progress32, xrefs: 009140E3

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 841c9dcab74a2db09ec052b44f831b78eaadca63f788445466bf4b29021bc4cf
Instruction ID: e8ed8613a4e0113c2f669e48e8ce6f5f07694cbf933fec15dba9861eb1faaf68
Opcode Fuzzy Hash: 841c9dcab74a2db09ec052b44f831b78eaadca63f788445466bf4b29021bc4cf
Instruction Fuzzy Hash: 4011B2B225021DBEEF119F64CC85EE77F5DEF19798F004110BB18A6050C7729C61DBA4

Function 008BD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008BD7A3: _free.LIBCMT ref: 008BD7CC

_free.LIBCMT ref: 008BD82D

Part of subcall function 008B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000), ref: 008B29DE
Part of subcall function 008B29C8: GetLastError.KERNEL32(00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000,00000000), ref: 008B29F0

_free.LIBCMT ref: 008BD838
_free.LIBCMT ref: 008BD843
_free.LIBCMT ref: 008BD897
_free.LIBCMT ref: 008BD8A2
_free.LIBCMT ref: 008BD8AD
_free.LIBCMT ref: 008BD8B8

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 6c007c246c8d73fffd159a8248cc638b946bead664e9c2fc0bc10d5b2be50728
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 0E11F671940B04BADA21BFB8CC46FCB7B9CFF04700F404C25B29DE6692EA65A5098666

Function 008EDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 008EDA74
LoadStringW.USER32(00000000), ref: 008EDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 008EDA91
LoadStringW.USER32(00000000), ref: 008EDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 008EDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 008EDAB9

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: f84a8f64ff3d1bb9180d3dc3d3a256ce5ffc166ddaf4b680f1fa6d9d29077eb3
Instruction ID: 6baeb40282ccb502ccf3e467a3c863b524ec3ebf6f4a49073ff68aff987c065a
Opcode Fuzzy Hash: f84a8f64ff3d1bb9180d3dc3d3a256ce5ffc166ddaf4b680f1fa6d9d29077eb3
Instruction Fuzzy Hash: 340186F66443187FEB109BA49D89EEB336CE709345F4044A1F746E2041E6749E848F75

Function 008F096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00ACE1B0,00ACE1B0), ref: 008F097B
EnterCriticalSection.KERNEL32(00ACE190,00000000), ref: 008F098D
TerminateThread.KERNEL32(?,000001F6), ref: 008F099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 008F09A9
CloseHandle.KERNEL32(?), ref: 008F09B8
InterlockedExchange.KERNEL32(00ACE1B0,000001F6), ref: 008F09C8
LeaveCriticalSection.KERNEL32(00ACE190), ref: 008F09CF

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 5691f9facb7508a5adc4a5258c370892c4e08793d2f34fce6c0f8a5055716050
Instruction ID: fcc3bbc47b24ee86e23608808c0bf81167579479699270981385062758115e2c
Opcode Fuzzy Hash: 5691f9facb7508a5adc4a5258c370892c4e08793d2f34fce6c0f8a5055716050
Instruction Fuzzy Hash: 23F08171696612BFD7411FA0EE8CBE67B35FF01702F805411F201908A1C7749461DF90

Function 00885D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00885D30
GetWindowRect.USER32(?,?), ref: 00885D71
ScreenToClient.USER32(?,?), ref: 00885D99
GetClientRect.USER32(?,?), ref: 00885ED7
GetWindowRect.USER32(?,?), ref: 00885EF8

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: ce8495a807502f4b606736c4f959fb29f69ee574e648236916a24f9ffc9d16c1
Instruction ID: 4aea872e25d77d4345591ac32d2c86944ace7f54f267ce386761f9f3bce22b41
Opcode Fuzzy Hash: ce8495a807502f4b606736c4f959fb29f69ee574e648236916a24f9ffc9d16c1
Instruction Fuzzy Hash: 42B16974A0064ADBDB10DFA9C880BEEB7F1FF58310F14941AE8A9D7250DB34EA91DB50

Function 008B01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008B00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008B00D6
__allrem.LIBCMT ref: 008B00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008B010B
__allrem.LIBCMT ref: 008B0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008B0140

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: cca79d5ff11f8ad2420fc92208b040744d7a365838252a434c0d48c314671472
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: F881C471A00B069FE724AA6CCC41BAB73E9FF46364F24452EF551D7782EBB0D9008B51

Function 00901D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00903149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0090101C,00000000,?,?,00000000), ref: 00903195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00901DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00901DE1
WSAGetLastError.WSOCK32 ref: 00901DF2
inet_ntoa.WSOCK32(?), ref: 00901E8C
htons.WSOCK32(?,?,?,?,?), ref: 00901EDB
_strlen.LIBCMT ref: 00901F35

Part of subcall function 008E39E8: _strlen.LIBCMT ref: 008E39F2

Part of subcall function 00886D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0089CF58,?,?,?), ref: 00886DBA
Part of subcall function 00886D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0089CF58,?,?,?), ref: 00886DED

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 92c2ea3676e7125457dbc2088cd99005cbfa3ff15f9346babc704ec2f4e89fb1
Instruction ID: 7c0aaa49e44710517be850a71f30bb10dcf1d6d9e10a94c4de898be92fea184e
Opcode Fuzzy Hash: 92c2ea3676e7125457dbc2088cd99005cbfa3ff15f9346babc704ec2f4e89fb1
Instruction Fuzzy Hash: FFA1C071204341AFD724EB28C885E2A7BE9FF85318F54894CF5569B2E2DB31ED41CB92

Function 008B61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008A82D9,008A82D9,?,?,?,008B644F,00000001,00000001,8BE85006), ref: 008B6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,008B644F,00000001,00000001,8BE85006,?,?,?), ref: 008B62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008B63D8
__freea.LIBCMT ref: 008B63E5

Part of subcall function 008B3820: RtlAllocateHeap.NTDLL(00000000,?,00951444,?,0089FDF5,?,?,0088A976,00000010,00951440,008813FC,?,008813C6,?,00881129), ref: 008B3852

__freea.LIBCMT ref: 008B63EE
__freea.LIBCMT ref: 008B6413

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 289bd6fdb7707fa91f029b00f8b3bd81ed1ee18f036a5f40d145d4feca482d48
Instruction ID: a64b1e528148eb6509042756410ad134efef6e9d43ad4021761b783978a8274c
Opcode Fuzzy Hash: 289bd6fdb7707fa91f029b00f8b3bd81ed1ee18f036a5f40d145d4feca482d48
Instruction Fuzzy Hash: 6B51C172A00216ABEB258F64DC81EEF77A9FB48750F144629FC15D6340EB38DC64D661

Function 0090BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

Part of subcall function 0090C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0090B6AE,?,?), ref: 0090C9B5
Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090C9F1
Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090CA68
Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0090BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0090BD25
RegCloseKey.ADVAPI32(00000000), ref: 0090BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0090BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0090BDF3
RegCloseKey.ADVAPI32(?), ref: 0090BDFF

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 018b29968386ec93b88cb0cf4133512e79ff289606a95974879f1eb59e01f9a1
Instruction ID: 07defe4a2c196175e0d35d44dc950959024d7d248e564bd56df2212335de2f7c
Opcode Fuzzy Hash: 018b29968386ec93b88cb0cf4133512e79ff289606a95974879f1eb59e01f9a1
Instruction Fuzzy Hash: A8818F70218241AFD714EF24C895E6ABBE9FF84308F14895CF5958B2A2DB31ED45CB92

Function 008DF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 008DF7B9
SysAllocString.OLEAUT32(00000001), ref: 008DF860
VariantCopy.OLEAUT32(008DFA64,00000000), ref: 008DF889
VariantClear.OLEAUT32(008DFA64), ref: 008DF8AD
VariantCopy.OLEAUT32(008DFA64,00000000), ref: 008DF8B1
VariantClear.OLEAUT32(?), ref: 008DF8BB

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: b354fd3356a19a83d6d564729b193706e71f9b515561f6d796ed14f1153791f8
Instruction ID: d856ec166d3286c3ecd6dc59a419df46051723564626ffc25575ac8746618230
Opcode Fuzzy Hash: b354fd3356a19a83d6d564729b193706e71f9b515561f6d796ed14f1153791f8
Instruction Fuzzy Hash: 2351F531A50314BACF20AB69D8A5B29B7A4FF45314B248567EA07DF393DB708C40E797

Function 008F910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00887620: _wcslen.LIBCMT ref: 00887625

Part of subcall function 00886B57: _wcslen.LIBCMT ref: 00886B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 008F94E5
_wcslen.LIBCMT ref: 008F9506
_wcslen.LIBCMT ref: 008F952D
GetSaveFileNameW.COMDLG32(00000058), ref: 008F9585

Strings

X, xrefs: 008F9412

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: a0b0d889ef28d60bf167c93d1ce646591380774fdd3fff8ce63cec078d8c0bca
Instruction ID: a75c0a0f043c24e44913911e412ef62bac7329ade80fefc09aa83650b303e98c
Opcode Fuzzy Hash: a0b0d889ef28d60bf167c93d1ce646591380774fdd3fff8ce63cec078d8c0bca
Instruction Fuzzy Hash: F6E181715083058FD724EF28C881B6AB7E4FF85314F14856DE999DB2A2DB31ED05CB92

Function 0089920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2

BeginPaint.USER32(?,?,?), ref: 00899241
GetWindowRect.USER32(?,?), ref: 008992A5
ScreenToClient.USER32(?,?), ref: 008992C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008992D3
EndPaint.USER32(?,?,?,?,?), ref: 00899321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008D71EA

Part of subcall function 00899339: BeginPath.GDI32(00000000), ref: 00899357

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 9e8e3946f66e24440a99711a443c37308d3a753fdd2f8358c90a818febeccad1
Instruction ID: c462daae2fb4301481ad6d1f4d2baf6c40e8d5b9b077f26fcd47ab811b230593
Opcode Fuzzy Hash: 9e8e3946f66e24440a99711a443c37308d3a753fdd2f8358c90a818febeccad1
Instruction Fuzzy Hash: B341B370208301AFDB11EF59DC94FAA7BA8FB45365F04026DF9A5C72A1D7309845EB62

Function 008F07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 008F080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 008F0847
EnterCriticalSection.KERNEL32(?), ref: 008F0863
LeaveCriticalSection.KERNEL32(?), ref: 008F08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008F08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 008F0921

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 9bbd42ccdc26fa3e315316932b8e3c241d00d27f27a1287086ff8dff1b3a8783
Instruction ID: 7bf4930dc06f971dc894361a374821972308ff4e208a4285dbfffd4dacd010d2
Opcode Fuzzy Hash: 9bbd42ccdc26fa3e315316932b8e3c241d00d27f27a1287086ff8dff1b3a8783
Instruction Fuzzy Hash: 5F415A71A14209AFDF14AF64DC85AAA7778FF04310B1480A5EE00DA297D730DE64DBA1

Function 009181DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,008DF3AB,00000000,?,?,00000000,?,008D682C,00000004,00000000,00000000), ref: 0091824C
EnableWindow.USER32(?,00000000), ref: 00918272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009182D1
ShowWindow.USER32(?,00000004), ref: 009182E5
EnableWindow.USER32(?,00000001), ref: 0091830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0091832F

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: d8aa34aef7b6ae3a86a9866748c21530e1b59767a29967fa117895baa8834852
Instruction ID: 0ff73d3a98039005bde21e317ba12c17f9216ae7fcbaae9c1cdf39d639b36aa6
Opcode Fuzzy Hash: d8aa34aef7b6ae3a86a9866748c21530e1b59767a29967fa117895baa8834852
Instruction Fuzzy Hash: C5410670705608AFDB26CF15D899BE57BE4FB0A755F184168E5284F2B2CB71AC81EB40

Function 008E4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 008E4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 008E4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 008E4CEA
_wcslen.LIBCMT ref: 008E4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 008E4D10
_wcsstr.LIBVCRUNTIME ref: 008E4D1A

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: be0a51147b646cbb279936ebefa13975dc55868161ef85bc498d0f8ad5205275
Instruction ID: 774f3186512ba657d1b32c3d5e3544d33530c2159461e80fd4e5e8257810a5b6
Opcode Fuzzy Hash: be0a51147b646cbb279936ebefa13975dc55868161ef85bc498d0f8ad5205275
Instruction Fuzzy Hash: EC212672304245BBEB255B3AAC09E7F7B9CFF46750F149029F809CA192EA61DC00D2A1

Function 008F581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00883AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00883A97,?,?,00882E7F,?,?,?,00000000), ref: 00883AC2

_wcslen.LIBCMT ref: 008F587B
CoInitialize.OLE32(00000000), ref: 008F5995
CoCreateInstance.OLE32(0091FCF8,00000000,00000001,0091FB68,?), ref: 008F59AE
CoUninitialize.OLE32 ref: 008F59CC

Strings

.lnk, xrefs: 008F5876, 008F58C1, 008F5985

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 024d847d455e2003df7798ab4738c36780a56f5100555e60258aa08b4e2db0a2
Instruction ID: 2d0e96242ba677e672ed2a4a172ededd8ecab6441d5fb0b09ac3b16cd48f6883
Opcode Fuzzy Hash: 024d847d455e2003df7798ab4738c36780a56f5100555e60258aa08b4e2db0a2
Instruction Fuzzy Hash: ACD153716087059FC714EF28C48092ABBE5FF89724F148859FA89DB361DB31ED45CB92

Function 008E175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008E0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008E0FCA
Part of subcall function 008E0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008E0FD6
Part of subcall function 008E0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008E0FE5
Part of subcall function 008E0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008E0FEC
Part of subcall function 008E0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008E1002

GetLengthSid.ADVAPI32(?,00000000,008E1335), ref: 008E17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008E17BA
HeapAlloc.KERNEL32(00000000), ref: 008E17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008E17DA
GetProcessHeap.KERNEL32(00000000,00000000,008E1335), ref: 008E17EE
HeapFree.KERNEL32(00000000), ref: 008E17F5

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 546342495914fb36edf5852b3dfc4aad99019eadc61b6f745775f5b4be402145
Instruction ID: 1c4805842b9a2dabfe874ca72597a09a4996ecf0ff48d0b65105236f2889c4a2
Opcode Fuzzy Hash: 546342495914fb36edf5852b3dfc4aad99019eadc61b6f745775f5b4be402145
Instruction Fuzzy Hash: 7A11A9726A8205FFDF109FA5CC49BAE7BA9FB46759F108018F881E7214C736A940DB60

Function 008E14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008E14FF
OpenProcessToken.ADVAPI32(00000000), ref: 008E1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 008E1515
CloseHandle.KERNEL32(00000004), ref: 008E1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008E154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 008E1563

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 4cebfa33414c8e0c9f468e95ef703bdf2bf5275dba6cd0b0b408a25422208a7c
Instruction ID: 79ab608533d8f1f487975724a86f3f87f22432f4d39473a1f582c5b4c855a58d
Opcode Fuzzy Hash: 4cebfa33414c8e0c9f468e95ef703bdf2bf5275dba6cd0b0b408a25422208a7c
Instruction Fuzzy Hash: A2115CB260424DABDF118F94DD49BDE7BA9FF49708F048014FA05E21A0C3718E61EB60

Function 008A3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008A3379,008A2FE5), ref: 008A3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 008A339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008A33B7
SetLastError.KERNEL32(00000000,?,008A3379,008A2FE5), ref: 008A3409

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 60b9561830dbfbeac2b93ec720ac504ffb5b857869780f63e1fd807984ed25e1
Instruction ID: 6ee616bbacbf461e43c94412ee40ff93b1dfcd4d536ab5a1397611864262d871
Opcode Fuzzy Hash: 60b9561830dbfbeac2b93ec720ac504ffb5b857869780f63e1fd807984ed25e1
Instruction Fuzzy Hash: 8501247271E311BEBE6427787C85A672B94FB273793200229F520C0AF0EF114D02B144

Function 008B2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008B5686,008C3CD6,?,00000000,?,008B5B6A,?,?,?,?,?,008AE6D1,?,00948A48), ref: 008B2D78
_free.LIBCMT ref: 008B2DAB
_free.LIBCMT ref: 008B2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,008AE6D1,?,00948A48,00000010,00884F4A,?,?,00000000,008C3CD6), ref: 008B2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,008AE6D1,?,00948A48,00000010,00884F4A,?,?,00000000,008C3CD6), ref: 008B2DEC
_abort.LIBCMT ref: 008B2DF2

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 3d32ca3fd856139ac462fc77e73703ad90162779b9897429da2d345f549f29fc
Instruction ID: f185f2643d38204ac1d846ec666a8c8672a3e55a589da851fc8ad7a496aa1704
Opcode Fuzzy Hash: 3d32ca3fd856139ac462fc77e73703ad90162779b9897429da2d345f549f29fc
Instruction Fuzzy Hash: BAF0C875649A046BC622373CBC0AEEA2959FFC67A5F284518F834D23D6EF2488065162

Function 00918A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00899639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00899693
Part of subcall function 00899639: SelectObject.GDI32(?,00000000), ref: 008996A2
Part of subcall function 00899639: BeginPath.GDI32(?), ref: 008996B9
Part of subcall function 00899639: SelectObject.GDI32(?,00000000), ref: 008996E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00918A4E
LineTo.GDI32(?,00000003,00000000), ref: 00918A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00918A70
LineTo.GDI32(?,00000000,00000003), ref: 00918A80
EndPath.GDI32(?), ref: 00918A90
StrokePath.GDI32(?), ref: 00918AA0

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a2f2b3692d8c34452dbec43ffd84f7627250728763ca3678504e5fd898ee9948
Instruction ID: cb8fda8d3bde00c36009196442a4b08fa2ca04164ad8a65d79b3f0eecca3a543
Opcode Fuzzy Hash: a2f2b3692d8c34452dbec43ffd84f7627250728763ca3678504e5fd898ee9948
Instruction Fuzzy Hash: AE11E576144108FFDF129F94EC88EEA7F6CEB08390F048012FA199A1A1C7719D55EBA0

Function 008E51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008E5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 008E5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008E5230
ReleaseDC.USER32(00000000,00000000), ref: 008E5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 008E524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 008E5261

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 2454a815bb22edc89d2d6e7aa81e1266d3dc084ae2ab57ac166c210183a76660
Instruction ID: 1b9abf71610119290a16c45e39029a8be3aaded0efd0a3a4e8302386f3db4c3b
Opcode Fuzzy Hash: 2454a815bb22edc89d2d6e7aa81e1266d3dc084ae2ab57ac166c210183a76660
Instruction Fuzzy Hash: F50184B5B44709BBEB105BA69C49A9EBF78FB48351F048065FA04E7281D6709800DF60

Function 00881BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00881BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00881BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00881C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00881C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00881C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00881C22

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 16c1cc44cfa73a163f3d4794591af7fc88826896cefd2f29628c6c2e01ec0569
Instruction ID: 43b4f5ebbae07e587a17ff093cdc11bcb602bc819a3172fc047a8a804c40baec
Opcode Fuzzy Hash: 16c1cc44cfa73a163f3d4794591af7fc88826896cefd2f29628c6c2e01ec0569
Instruction Fuzzy Hash: 1D016CB094275ABDE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 008EEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008EEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008EEB46
GetWindowThreadProcessId.USER32(?,?), ref: 008EEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008EEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008EEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008EEB75

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 999c1e9b310ea554daa40ce3d0443ba20b33e367aac32a9b737bbec789e1ca05
Instruction ID: d8269ba321d3b336a7785e02badcfc7e32522e6530474677a142580f44988d9b
Opcode Fuzzy Hash: 999c1e9b310ea554daa40ce3d0443ba20b33e367aac32a9b737bbec789e1ca05
Instruction Fuzzy Hash: E4F090B2294159BBE72157529C0DEEF3A7CEFCAB51F008158F611D1090D7A01A01D6B4

Function 008D7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 008D7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 008D7469
GetWindowDC.USER32(?), ref: 008D7475
GetPixel.GDI32(00000000,?,?), ref: 008D7484
ReleaseDC.USER32(?,00000000), ref: 008D7496
GetSysColor.USER32(00000005), ref: 008D74B0

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 9cfff0de9047ecf77a32ec82c174b8760a7e477e6fba7236faf2fecfe0d5ba70
Instruction ID: 4b83decb7dde45e624c6a0de3102081badacf3184200cfab1e24ca9c55346caf
Opcode Fuzzy Hash: 9cfff0de9047ecf77a32ec82c174b8760a7e477e6fba7236faf2fecfe0d5ba70
Instruction Fuzzy Hash: BF01AD71658219FFDB525F64DC08BEA7BB6FF04311F508164FA16A21A0CB311E41FB10

Function 008E1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 008E187F
UnloadUserProfile.USERENV(?,?), ref: 008E188B
CloseHandle.KERNEL32(?), ref: 008E1894
CloseHandle.KERNEL32(?), ref: 008E189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008E18A5
HeapFree.KERNEL32(00000000), ref: 008E18AC

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 7cb8e35eec3a947cfc24c5c257846f8c5574612d6318938ce1e8b57a4e4f5cf0
Instruction ID: 53fa4ed2106f68cbf4abde07d7bddfb58067d64d9481d39f548b18be04cdae87
Opcode Fuzzy Hash: 7cb8e35eec3a947cfc24c5c257846f8c5574612d6318938ce1e8b57a4e4f5cf0
Instruction Fuzzy Hash: A6E0EDB669C211BBD7015FA1ED0C985BF39FF49721750C220F22581070CB725421EF50

Function 008EC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00887620: _wcslen.LIBCMT ref: 00887625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008EC6EE
_wcslen.LIBCMT ref: 008EC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008EC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 008EC7CA

Strings

0, xrefs: 008EC6AF

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 85cc590fff1619605b0686513e9f16c81540251fd9a6581b049d583089be2737
Instruction ID: 2b500c26fa6c46075b3b10a7efbd717e22b170c23f94ff9043d2e51ea270d9a1
Opcode Fuzzy Hash: 85cc590fff1619605b0686513e9f16c81540251fd9a6581b049d583089be2737
Instruction Fuzzy Hash: A651BE71A183809BD714AF2ECC85B6B7BE4FF9B314F040A2DF995D21A1DB60D8068B52

Function 0090AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0090AEA3

Part of subcall function 00887620: _wcslen.LIBCMT ref: 00887625

GetProcessId.KERNEL32(00000000), ref: 0090AF38
CloseHandle.KERNEL32(00000000), ref: 0090AF67

Strings

<, xrefs: 0090AE6B
@, xrefs: 0090AE72

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: b3eecfa7d59026714a16a92aa332534640893236f9d62f8f808bf5f6b5a1e9d5
Instruction ID: 0b28187f59c2ad4b40feeb439870b3e52cf74244ef37e018f447fc039c8b9fce
Opcode Fuzzy Hash: b3eecfa7d59026714a16a92aa332534640893236f9d62f8f808bf5f6b5a1e9d5
Instruction Fuzzy Hash: 29716C71A00615DFCB14EF58C484A9EBBF4FF08314F148499E856AB7A2CB74ED45CBA2

Function 008E719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 008E7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 008E723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 008E724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008E72CF

Strings

DllGetClassObject, xrefs: 008E7242

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: d774b500792d86591a09261700bb32266f86ecdd9122eca17353e0fef455a707
Instruction ID: 9046a5ac70f75e809ee431b6649f75a0f6903df14bf59b71dc03e4a4ddfe5f5d
Opcode Fuzzy Hash: d774b500792d86591a09261700bb32266f86ecdd9122eca17353e0fef455a707
Instruction Fuzzy Hash: D84181B1604245EFDB15CF55C884A9A7BB9FF46314F1480A9BE0ADF20AD7B1DD44CBA0

Function 00913D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00913E35
IsMenu.USER32(?), ref: 00913E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00913E92
DrawMenuBar.USER32 ref: 00913EA5

Strings

0, xrefs: 00913D89

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 70486dd3c9f76cd29d38c82f58fc44cfd4250b7f8b2c39a25fa86b1381c5cd83
Instruction ID: f3f2ea58f542092dad57af89cf7c11a03a1326f6d4834cab811aa486cc71cdc1
Opcode Fuzzy Hash: 70486dd3c9f76cd29d38c82f58fc44cfd4250b7f8b2c39a25fa86b1381c5cd83
Instruction Fuzzy Hash: 1B4147B5A1430DAFDB10DF54D884AEABBB9FF49350F048129F915A7290D730AE84DF50

Function 008E1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

Part of subcall function 008E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008E3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 008E1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 008E1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 008E1EA9

Part of subcall function 00886B57: _wcslen.LIBCMT ref: 00886B6A

Strings

ComboBox, xrefs: 008E1DF0
ListBox, xrefs: 008E1E25

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 0c4a550f5622134150740f637aa989bc448daf04b0747744a17ee1b0a2faf84d
Instruction ID: a86716526c4387d2fbb832bfd71215706e6cad3df47449ad1263b84467b966c7
Opcode Fuzzy Hash: 0c4a550f5622134150740f637aa989bc448daf04b0747744a17ee1b0a2faf84d
Instruction Fuzzy Hash: 452101B1A00149BFDB18ABA9DC49CFFB7A8FF42364B144129F821E71E1DB3449099720

Function 0090C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0090C9F1
_wcslen.LIBCMT ref: 0090CA68
_wcslen.LIBCMT ref: 0090CA9E
_wcslen.LIBCMT ref: 0090CAF9
_wcslen.LIBCMT ref: 0090CB2F
_wcslen.LIBCMT ref: 0090CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0090CA62, 0090CA67
HKLM, xrefs: 0090CA98, 0090CA9D

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 5eb3ca718d6aab6ff36fc454b626b7596d0eb1fce94405dc7911f69ff89f9cea
Instruction ID: ff3d1f0488b25ca189bbfeb153c3e04c633d2f5fbaaf35658d9d9b41120112ce
Opcode Fuzzy Hash: 5eb3ca718d6aab6ff36fc454b626b7596d0eb1fce94405dc7911f69ff89f9cea
Instruction Fuzzy Hash: EA3109B3B0016A4FCB30EF6C89505BF339AABA1750B194229EC45AB3C5E670CD44D3A1

Function 00912F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00912F8D
LoadLibraryW.KERNEL32(?), ref: 00912F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00912FA9
DestroyWindow.USER32(?), ref: 00912FB1

Strings

SysAnimate32, xrefs: 00912F68

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 90efe359bf401b919a290a3d3f79ca9b8ed4ead5d8ca14518154a4c405dcde27
Instruction ID: f673deab115d1b530e0165cf11000a2ea264f59c84a9b8521d29d3f3d5982bfd
Opcode Fuzzy Hash: 90efe359bf401b919a290a3d3f79ca9b8ed4ead5d8ca14518154a4c405dcde27
Instruction Fuzzy Hash: 9821AC71304209ABEB116FA4DC84FFB77BDEB59364F104618FA60D22A0D771DCA2A760

Function 008A4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,008A4D1E,008B28E9,?,008A4CBE,008B28E9,009488B8,0000000C,008A4E15,008B28E9,00000002), ref: 008A4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008A4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,008A4D1E,008B28E9,?,008A4CBE,008B28E9,009488B8,0000000C,008A4E15,008B28E9,00000002,00000000), ref: 008A4DC3

Strings

mscoree.dll, xrefs: 008A4D86
CorExitProcess, xrefs: 008A4D98

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4c35dd101238ba5324cd7ed5a0d88409c3abf6e211cb0064fd8b7e6277539da4
Instruction ID: 67f54e99e3183c624d8b34fdb0fce4feafb5b33cd8d01d8461ff99d9b3da0fa4
Opcode Fuzzy Hash: 4c35dd101238ba5324cd7ed5a0d88409c3abf6e211cb0064fd8b7e6277539da4
Instruction Fuzzy Hash: E7F0AF74A94218BBEB109F94DC49BEDBBB8EF85751F0040A4F905E2660CB709940EA90

Function 00884E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00884EDD,?,00951418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00884E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00884EAE
FreeLibrary.KERNEL32(00000000,?,?,00884EDD,?,00951418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00884EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00884EA8
kernel32.dll, xrefs: 00884E94

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 2b00d753eb2eeea5f33f3b9971554962bc645640f85ca36ad24b6f724ec8c24f
Instruction ID: c3e4581e1ff17ee4c98fa0c32201f9cc99ed69e8004a56943b5ed2cbc70d358f
Opcode Fuzzy Hash: 2b00d753eb2eeea5f33f3b9971554962bc645640f85ca36ad24b6f724ec8c24f
Instruction Fuzzy Hash: 29E08C76BAA623AB93222B25AC18AAB6658FFC1B72B054115FC04E2200DB60CD01D2A0

Function 00884E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,008C3CDE,?,00951418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00884E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00884E74
FreeLibrary.KERNEL32(00000000,?,?,008C3CDE,?,00951418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00884E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00884E6E
kernel32.dll, xrefs: 00884E5B

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 399e58cb0f18ba77265622733d773200383ac2615eef1977439cdb376e1fc474
Instruction ID: c8922bf6e51064f6bc0c6dde0f824cda70919d78cf2076d08943fefd26c71d26
Opcode Fuzzy Hash: 399e58cb0f18ba77265622733d773200383ac2615eef1977439cdb376e1fc474
Instruction Fuzzy Hash: E0D0C2327DA6226746322B246C08DCB2A18FF81B253458110B804E2110CF20CD01D2D0

Function 008F2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008F2C05
DeleteFileW.KERNEL32(?), ref: 008F2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 008F2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008F2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008F2CC0

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 60e61eb115f463ed8d84212cca1c94d142114aebf8e75f75413631c174be33d7
Instruction ID: 73a1b0f7daa3d859930960c3b6a8a3bfadd319eb9133963d8ad6b18fdf1b7177
Opcode Fuzzy Hash: 60e61eb115f463ed8d84212cca1c94d142114aebf8e75f75413631c174be33d7
Instruction Fuzzy Hash: 13B12F71D0011DABDF15EBA8CC85EEEBB7DFF49354F1040A6F609E6151EA309A448F62

Function 0090A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0090A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0090A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0090A468
CloseHandle.KERNEL32(?), ref: 0090A63D

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 7d8d3cdb9a17c1937bd8f517deda4acc5d7d449f403618f3061981ac7edf0f52
Instruction ID: 02cbe102863686fd486a20cdc8e650ab57499780be37faaa707428da84d77f5b
Opcode Fuzzy Hash: 7d8d3cdb9a17c1937bd8f517deda4acc5d7d449f403618f3061981ac7edf0f52
Instruction Fuzzy Hash: 39A12D716043019FE720EF28D886B2AB7E5BF84714F14885DF55ADB2D2DAB1EC418B92

Function 008EE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008EDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008ECF22,?), ref: 008EDDFD

Part of subcall function 008EDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008ECF22,?), ref: 008EDE16

Part of subcall function 008EE199: GetFileAttributesW.KERNEL32(?,008ECF95), ref: 008EE19A

lstrcmpiW.KERNEL32(?,?), ref: 008EE473
MoveFileW.KERNEL32(?,?), ref: 008EE4AC
_wcslen.LIBCMT ref: 008EE5EB
_wcslen.LIBCMT ref: 008EE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 008EE650

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: a2268581b581c1898c1a6c10e013a6b0fca5081e7045d1177fe746f08608d55e
Instruction ID: d8ca24c22ef8667d0e205baa139412aeb5fb58040a41c071ff8401899896b320
Opcode Fuzzy Hash: a2268581b581c1898c1a6c10e013a6b0fca5081e7045d1177fe746f08608d55e
Instruction Fuzzy Hash: 115192B24087855BD724EB94C8819DB73ECFF86344F00492EF589D3191EE74A288875B

Function 0090B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

Part of subcall function 0090C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0090B6AE,?,?), ref: 0090C9B5
Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090C9F1
Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090CA68
Part of subcall function 0090C998: _wcslen.LIBCMT ref: 0090CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0090BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0090BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0090BB63
RegCloseKey.ADVAPI32(?,?), ref: 0090BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0090BBB3

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: c6bf1b43cf6b00431b9fcf01a20efafab7a69d8f24994979f0f7b561586acbc0
Instruction ID: 42274e5a8ec4417dcd3e5cb94af18f1ff20c7ead78c019d35961fc7724330a17
Opcode Fuzzy Hash: c6bf1b43cf6b00431b9fcf01a20efafab7a69d8f24994979f0f7b561586acbc0
Instruction Fuzzy Hash: 8E618271208241EFD714DF54C490E6ABBE9FF84308F54895DF4998B2A2DB31ED45CB92

Function 008E8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008E8BCD
VariantClear.OLEAUT32 ref: 008E8C3E
VariantClear.OLEAUT32 ref: 008E8C9D
VariantClear.OLEAUT32(?), ref: 008E8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 008E8D3B

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 50f6a7896ffe9ba71da1e0b2e83b73c51e90ae8e943e60aae46985f89f34f031
Instruction ID: 8742e53dc738a3d858bf3ceaa87e22ca074afae47975202e7031bd49804483ce
Opcode Fuzzy Hash: 50f6a7896ffe9ba71da1e0b2e83b73c51e90ae8e943e60aae46985f89f34f031
Instruction Fuzzy Hash: 455178B5A00659EFCB10CF69C884AAAB7F9FF8A314B158559F909DB350E730E911CF90

Function 008F8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 008F8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 008F8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 008F8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 008F8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 008F8C5F

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: c701a99e316d5bf3ff7641b1249c9bca24ca988d00da7cf41f730306c75604c5
Instruction ID: 418e3d48a4d15a8a7d71b5965388b15870dd19be2996dc4fa36a0e665d90c43c
Opcode Fuzzy Hash: c701a99e316d5bf3ff7641b1249c9bca24ca988d00da7cf41f730306c75604c5
Instruction Fuzzy Hash: 2C513935A00219DFCB04EF68C880A6DBBF5FF48314F088458E959AB362CB31ED41CBA1

Function 00908EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00908F40
GetProcAddress.KERNEL32(00000000,?), ref: 00908FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00908FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00909032
FreeLibrary.KERNEL32(00000000), ref: 00909052

Part of subcall function 0089F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,008F1043,?,753CE610), ref: 0089F6E6
Part of subcall function 0089F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,008DFA64,00000000,00000000,?,?,008F1043,?,753CE610,?,008DFA64), ref: 0089F70D

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 85114efc0098d137dd4aefe98e39f4c5228f16f0fb0a585331cd7da80fef6b1e
Instruction ID: a175a42a655f9c48a9bec03a7c8c2fd256fe542e67b0e58d33640b3ea171f5c4
Opcode Fuzzy Hash: 85114efc0098d137dd4aefe98e39f4c5228f16f0fb0a585331cd7da80fef6b1e
Instruction Fuzzy Hash: 77515E75605205DFC715EF68C4848AEBBF5FF49314B0880A8E945AB3A2DB31ED86CB91

Function 00916B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00916C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00916C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00916C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,008FAB79,00000000,00000000), ref: 00916C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00916CC7

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: db285aae2c299a13c0852dc376c5edc3b0a6051df1e853477ea9f3f90e840978
Instruction ID: 66eafde6eca739873107babcdaaf1862526ebb6ba89c8c1345d741eed0e4cb22
Opcode Fuzzy Hash: db285aae2c299a13c0852dc376c5edc3b0a6051df1e853477ea9f3f90e840978
Instruction Fuzzy Hash: 4F41D475F08108AFD724CF28CD58FE97BA9EB09350F154268FAD5A72E0C371AD81DA80

Function 008B2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008B20C3
_free.LIBCMT ref: 008B20E3

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 489f4ca71329019d007f0680620dbaf208071838c674fa3c483fc9916826bf0d
Instruction ID: 9e1af4d23ca34fd631c809238e997f77117ac6794f1a34821b441b294ec2cb5a
Opcode Fuzzy Hash: 489f4ca71329019d007f0680620dbaf208071838c674fa3c483fc9916826bf0d
Instruction Fuzzy Hash: 0D41D272A00604AFCB24EF7CC881A9DB7A5FF89314F1545A8E615EB356DB31AD01DB81

Function 0089912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00899141
ScreenToClient.USER32(00000000,?), ref: 0089915E
GetAsyncKeyState.USER32(00000001), ref: 00899183
GetAsyncKeyState.USER32(00000002), ref: 0089919D

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: ee8702d199572d6454501e066b28efe187950abb947a57a67ba48581775112ca
Instruction ID: cf573b5afdac447a8c42d3940911f5fefa675892e7c08093da0794af897d1bb6
Opcode Fuzzy Hash: ee8702d199572d6454501e066b28efe187950abb947a57a67ba48581775112ca
Instruction Fuzzy Hash: 3A417F71A0861AFBDF05AF68C844BEEB774FB05324F24831AE465E32D0D7346990DB91

Function 008F3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008F38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 008F3922
TranslateMessage.USER32(?), ref: 008F394B
DispatchMessageW.USER32(?), ref: 008F3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008F3966

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 5d6d92dec09034e96ff2785e93d2d506f632dd8fcc077928a23e17b4b6bccfd3
Instruction ID: eb826702e7151211e9173103de345a52a93795de08f4514f945199ca6a403df5
Opcode Fuzzy Hash: 5d6d92dec09034e96ff2785e93d2d506f632dd8fcc077928a23e17b4b6bccfd3
Instruction Fuzzy Hash: 7D31F77071834A9FEB35CB35D818BB63FA8FB02345F04056DE662C21A0E3F49A85DB11

Function 008FCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,008FC21E,00000000), ref: 008FCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 008FCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,008FC21E,00000000), ref: 008FCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,008FC21E,00000000), ref: 008FCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,008FC21E,00000000), ref: 008FCFF2

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 24775c84d425578034623eb61ac0c0515efc2e81d49a3555e8ab8b50decd7a53
Instruction ID: 900c663bb1972c336c1d3e5656dd11c60f75cd93c26e5c7750787d7b4c8e5775
Opcode Fuzzy Hash: 24775c84d425578034623eb61ac0c0515efc2e81d49a3555e8ab8b50decd7a53
Instruction Fuzzy Hash: 00314BB160420DAFDB24DFA5C984ABABBF9FB14355B10842EF616D2141DB70AE41DB60

Function 008E1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008E1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008E19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008E19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008E19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008E19E2

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 292fca12b91aa65f59b0049bb96d1519056a2a2dba989d6fe6c51fe8b549fdc0
Instruction ID: 45d0c0b34c567b8bd6bf8745cef0366e945383adb5a0b30e6287bea2853052bf
Opcode Fuzzy Hash: 292fca12b91aa65f59b0049bb96d1519056a2a2dba989d6fe6c51fe8b549fdc0
Instruction Fuzzy Hash: E9319C71A14259EFCB00DFA9C99DAEE3BB5FB05315F108229F921EB2D2C7709944DB90

Function 00915706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00915745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0091579D
_wcslen.LIBCMT ref: 009157AF
_wcslen.LIBCMT ref: 009157BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00915816

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 07acf8d69f10ec82ba2496874d4ea0faa4eda871a59daada13650bd0715bc11a
Instruction ID: 96331fd5c0b986bb3ccdea8bc9e9a5a070c2bf319b3a31df416e009c94bf07f6
Opcode Fuzzy Hash: 07acf8d69f10ec82ba2496874d4ea0faa4eda871a59daada13650bd0715bc11a
Instruction Fuzzy Hash: 0C21D570A0460CDADB209FA5CC85AEEBBBCFF84324F118616E919EA1D0D77089C5CF50

Function 00900930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00900951
GetForegroundWindow.USER32 ref: 00900968
GetDC.USER32(00000000), ref: 009009A4
GetPixel.GDI32(00000000,?,00000003), ref: 009009B0
ReleaseDC.USER32(00000000,00000003), ref: 009009E8

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: e4f547c77f3bd375100b4fb7ed7963eec3a82a72fcba2b66c7fb18f2f68049d7
Instruction ID: 35568849f4ff13cc454039c7db53a81bc24f8f66171de0bdcfba27c87ef828c4
Opcode Fuzzy Hash: e4f547c77f3bd375100b4fb7ed7963eec3a82a72fcba2b66c7fb18f2f68049d7
Instruction Fuzzy Hash: B7218175700204AFD704EF69D888AAEBBE9FF85740F048468E95AD7362CB70AC04DB51

Function 008BCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 008BCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008BCDE9

Part of subcall function 008B3820: RtlAllocateHeap.NTDLL(00000000,?,00951444,?,0089FDF5,?,?,0088A976,00000010,00951440,008813FC,?,008813C6,?,00881129), ref: 008B3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 008BCE0F
_free.LIBCMT ref: 008BCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 008BCE31

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: e289301054742d89dcfe1cb8a4d94776f59d7aca2a8e49995c2590b9a923dd33
Instruction ID: 0f4e22be6a44e4f9cf05c00b39329792ba541314d88af4d8c4f921904f28302d
Opcode Fuzzy Hash: e289301054742d89dcfe1cb8a4d94776f59d7aca2a8e49995c2590b9a923dd33
Instruction Fuzzy Hash: 540184B2745215BF23211ABAAC88DFF6A6DFEC6BA13154129F905DB301EB61CD0291B1

Function 0089990C Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008998CC
SetTextColor.GDI32(?,?), ref: 008998D6
SetBkMode.GDI32(?,00000001), ref: 008998E9
GetStockObject.GDI32(00000005), ref: 008998F1
GetWindowLongW.USER32(?,000000EB), ref: 00899952

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 2d468330f59625a3f68542b7eed3dd75287bd3fe65c57addca784fa31609d3f1
Instruction ID: d34bec65ab3c22af99493874116a29ac0f96fc7d45d862eef8196ebed72b91b7
Opcode Fuzzy Hash: 2d468330f59625a3f68542b7eed3dd75287bd3fe65c57addca784fa31609d3f1
Instruction Fuzzy Hash: B721C4712492809FDB229F79EC58AE93FA0FB17331B0C429EE5E2CA1B1D7314941DB10

Function 00899639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00899693
SelectObject.GDI32(?,00000000), ref: 008996A2
BeginPath.GDI32(?), ref: 008996B9
SelectObject.GDI32(?,00000000), ref: 008996E2

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 0df0707d4ee1d537f718e3145db5b67b9bd9e48822aaeea606679eb76968c0a9
Instruction ID: 8414245b335f5177d6e3fc4ef7e855be9bb981c044080a16cb4344e9c2817914
Opcode Fuzzy Hash: 0df0707d4ee1d537f718e3145db5b67b9bd9e48822aaeea606679eb76968c0a9
Instruction Fuzzy Hash: 4321B370929305EBDF12AF6AFC247E93B68FB21356F14421AF451D21B0D3705851EB90

Function 008E5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008E5726
_memcmp.LIBVCRUNTIME ref: 008E5744
_memcmp.LIBVCRUNTIME ref: 008E5757
_memcmp.LIBVCRUNTIME ref: 008E576F
_memcmp.LIBVCRUNTIME ref: 008E5787

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 1ac09092bf7845fcd18092ba431739d1e14a1a75bd3ca9fa85b1e68a940e3ae4
Instruction ID: 7ef2306fe1ad2c0e7a9f609681b1d5beef4bb2fa362cbef7873201c78cb454f4
Opcode Fuzzy Hash: 1ac09092bf7845fcd18092ba431739d1e14a1a75bd3ca9fa85b1e68a940e3ae4
Instruction Fuzzy Hash: 370192A2745A4DFAEA0895169D92EFB635CFB6339CF004020FD08DA641F764ED6082E1

Function 008B2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,008AF2DE,008B3863,00951444,?,0089FDF5,?,?,0088A976,00000010,00951440,008813FC,?,008813C6), ref: 008B2DFD
_free.LIBCMT ref: 008B2E32
_free.LIBCMT ref: 008B2E59
SetLastError.KERNEL32(00000000,00881129), ref: 008B2E66
SetLastError.KERNEL32(00000000,00881129), ref: 008B2E6F

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: edaf10d258f15e5cdb43128edfd4ebe46c83a397a5e27aef1b6a63f3786eb854
Instruction ID: b2095bce7c2cdffc122fea2f314120c7ffedae5b67445c51b8d8cb53d0278ac5
Opcode Fuzzy Hash: edaf10d258f15e5cdb43128edfd4ebe46c83a397a5e27aef1b6a63f3786eb854
Instruction Fuzzy Hash: 200128762896007BC613673A6C46DEB2A6DFBC53B6B204428F835E23D3EF34CC065121

Function 008E000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,008DFF41,80070057,?,?,?,008E035E), ref: 008E002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008DFF41,80070057,?,?), ref: 008E0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008DFF41,80070057,?,?), ref: 008E0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008DFF41,80070057,?), ref: 008E0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008DFF41,80070057,?,?), ref: 008E0070

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 56ae902700c9b1215ea5f80cec37d52fdc2ef9d2592ea21b550aed30c7e8b8cd
Instruction ID: c60188996b353cca8a4f698febaf4b25f3d7e4d1bc3a2e797e013caef28d64d9
Opcode Fuzzy Hash: 56ae902700c9b1215ea5f80cec37d52fdc2ef9d2592ea21b550aed30c7e8b8cd
Instruction Fuzzy Hash: 6601DBB2710604BFDB119F6AEC44BAA7AADFB44392F148424FC01D2210E7B0CD80EBA0

Function 008EE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 008EE997
QueryPerformanceFrequency.KERNEL32(?), ref: 008EE9A5
Sleep.KERNEL32(00000000), ref: 008EE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 008EE9B7
Sleep.KERNEL32 ref: 008EE9F3

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 6bfdb76177a11d46d590ec428afa0e2861bdc8dcd933a8ede590353e652178e3
Instruction ID: 12962bf8aefc5d0c7a6bad86e2fc3a67bf77021b9c824b743aba9a347ce41cb3
Opcode Fuzzy Hash: 6bfdb76177a11d46d590ec428afa0e2861bdc8dcd933a8ede590353e652178e3
Instruction Fuzzy Hash: E0015771D4962DEBCF00ABE6D849AEDBBB8FB0A300F004546E502F2242CB309550DBA1

Function 008E10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008E1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,008E0B9B,?,?,?), ref: 008E1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008E0B9B,?,?,?), ref: 008E112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008E0B9B,?,?,?), ref: 008E1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008E114D

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 01cb1f782e2c8bc561d92caaf33b4f1b7579b61c04a7ef8081706e58cd692527
Instruction ID: 05ae58587b1f3892233058a1b4dd468b9a17aacfd3270e5ee859c04811714680
Opcode Fuzzy Hash: 01cb1f782e2c8bc561d92caaf33b4f1b7579b61c04a7ef8081706e58cd692527
Instruction Fuzzy Hash: 15011DB9254305BFDF114F65DC4DAAA3B6EFF86360B104415FA45D7350DA71DC10DA60

Function 008E0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008E0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008E0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008E0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008E0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008E1002

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ee9be68e9f1da497d79d4357029b968ea965b969e1839b9685164aa5f99cdea5
Instruction ID: c48741309444fed7537d2de6868ed0a334afa677db1f898cac28567153684329
Opcode Fuzzy Hash: ee9be68e9f1da497d79d4357029b968ea965b969e1839b9685164aa5f99cdea5
Instruction Fuzzy Hash: 59F0AF79284301BBDB210FA59C4DF963B6EFF8A761F518414F905C6290CA30DC40DA60

Function 008E1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008E102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008E1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008E1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008E104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008E1062

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4ed47c654f51da3aea53cbadcd28507a09d6119c4f28e71af74fafd5c30ff2f1
Instruction ID: 2eba6c99b093d26468d6847e08c90dd9469685e713b3a63b0608c10d961d67e9
Opcode Fuzzy Hash: 4ed47c654f51da3aea53cbadcd28507a09d6119c4f28e71af74fafd5c30ff2f1
Instruction Fuzzy Hash: 9CF0CDB9284301FBDB215FA5EC4CF963BAEFF8A761F114424FA05C7250CA30D840DA60

Function 008F030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,008F017D,?,008F32FC,?,00000001,008C2592,?), ref: 008F0324
CloseHandle.KERNEL32(?,?,?,?,008F017D,?,008F32FC,?,00000001,008C2592,?), ref: 008F0331
CloseHandle.KERNEL32(?,?,?,?,008F017D,?,008F32FC,?,00000001,008C2592,?), ref: 008F033E
CloseHandle.KERNEL32(?,?,?,?,008F017D,?,008F32FC,?,00000001,008C2592,?), ref: 008F034B
CloseHandle.KERNEL32(?,?,?,?,008F017D,?,008F32FC,?,00000001,008C2592,?), ref: 008F0358
CloseHandle.KERNEL32(?,?,?,?,008F017D,?,008F32FC,?,00000001,008C2592,?), ref: 008F0365

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 86cc8647afec7b11613ff47499c9f0792f5b4f62f2aa40dc65d1d04f1ef5d3d7
Instruction ID: 9adc845cc69336650d192eef3db4b3ed2ad06894ae4e25b88fede564e1ab4985
Opcode Fuzzy Hash: 86cc8647afec7b11613ff47499c9f0792f5b4f62f2aa40dc65d1d04f1ef5d3d7
Instruction Fuzzy Hash: 8F01A272800B199FC7309F66D880822F7F5FF503153158A3FD29692A32C371A955DF80

Function 008BD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008BD752

Part of subcall function 008B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000), ref: 008B29DE
Part of subcall function 008B29C8: GetLastError.KERNEL32(00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000,00000000), ref: 008B29F0

_free.LIBCMT ref: 008BD764
_free.LIBCMT ref: 008BD776
_free.LIBCMT ref: 008BD788
_free.LIBCMT ref: 008BD79A

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cd7f2af3f5b828f2bf0d15fc4cb3cb52c039165c97d1b13749d380c5315126ad
Instruction ID: 8f462fdf409c519d11c6e35b488cf8a6a0844bf06594cf2e6758d3cefc09afb8
Opcode Fuzzy Hash: cd7f2af3f5b828f2bf0d15fc4cb3cb52c039165c97d1b13749d380c5315126ad
Instruction Fuzzy Hash: 47F0F97655A308BB8665EB68F9C6DDA7BDDFB45710BA40C05F048E7702DB20FC808A69

Function 008E5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 008E5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 008E5C6F
MessageBeep.USER32(00000000), ref: 008E5C87
KillTimer.USER32(?,0000040A), ref: 008E5CA3
EndDialog.USER32(?,00000001), ref: 008E5CBD

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 085b300f09f864d4973d59aeb019445520f47cf99e58f14ee45059f26d2e5b98
Instruction ID: 4b24ede05611f118bcb5f986b239f2afd0db40b1cc09bbe53f06d5cf6ee4fd73
Opcode Fuzzy Hash: 085b300f09f864d4973d59aeb019445520f47cf99e58f14ee45059f26d2e5b98
Instruction Fuzzy Hash: B801F470640B04ABEB205B11DD5EFE677B8FF05B49F000159B283E10E1DBF4A984DB90

Function 008B22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008B22BE

Part of subcall function 008B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000), ref: 008B29DE
Part of subcall function 008B29C8: GetLastError.KERNEL32(00000000,?,008BD7D1,00000000,00000000,00000000,00000000,?,008BD7F8,00000000,00000007,00000000,?,008BDBF5,00000000,00000000), ref: 008B29F0

_free.LIBCMT ref: 008B22D0
_free.LIBCMT ref: 008B22E3
_free.LIBCMT ref: 008B22F4
_free.LIBCMT ref: 008B2305

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b0c9ff87da569c60488d0ca5a6914d3d98192d24089c04d1a3ba1364dbd0694f
Instruction ID: 094db9b7b112ca395bcb75fc37a46cd72ef30f22e4d289523c8d2f1140431dce
Opcode Fuzzy Hash: b0c9ff87da569c60488d0ca5a6914d3d98192d24089c04d1a3ba1364dbd0694f
Instruction Fuzzy Hash: 3BF0F4B54293109FC652AF59BC01E983F65F719752B050A06F818D6371C7310555BFE6

Function 008995C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008995D4
StrokeAndFillPath.GDI32(?,?,008D71F7,00000000,?,?,?), ref: 008995F0
SelectObject.GDI32(?,00000000), ref: 00899603
DeleteObject.GDI32 ref: 00899616
StrokePath.GDI32(?), ref: 00899631

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e73b13ac8cbf16f8b3401d4065b0deca717b4abcfb9cc247f25d8b164361014a
Instruction ID: bee4a5ec1d1f31c6bfad2a53be1ffaa83be4d12818451adde1a9b22591861d4b
Opcode Fuzzy Hash: e73b13ac8cbf16f8b3401d4065b0deca717b4abcfb9cc247f25d8b164361014a
Instruction Fuzzy Hash: 75F0F67016D308EBDB126F6AFD287A93B61FB15363F088218E4A5950F0C7308991EF64

Function 008B0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008B10F9
__freea.LIBCMT ref: 008B1117

Part of subcall function 008B1537: _free.LIBCMT ref: 008B154F

Strings

am/pm, xrefs: 008B117A
a/p, xrefs: 008B11DE

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: d37a70634484d706aff039986c77e9f2467fa5d58c2abdcddc2f446e03ff6600
Instruction ID: 357069228142d3a2a177b64138ce1e005bcbf63e61a85bda51c2303d2a0f8247
Opcode Fuzzy Hash: d37a70634484d706aff039986c77e9f2467fa5d58c2abdcddc2f446e03ff6600
Instruction Fuzzy Hash: 0AD1C13190020A9ADF249F68C86DAFABBB1FF09704FA84159E501DFB50E7799D81CB91

Function 00907B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 008A0242: EnterCriticalSection.KERNEL32(0095070C,00951884,?,?,0089198B,00952518,?,?,?,008812F9,00000000), ref: 008A024D
Part of subcall function 008A0242: LeaveCriticalSection.KERNEL32(0095070C,?,0089198B,00952518,?,?,?,008812F9,00000000), ref: 008A028A

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

Part of subcall function 008A00A3: __onexit.LIBCMT ref: 008A00A9

__Init_thread_footer.LIBCMT ref: 00907BFB

Part of subcall function 008A01F8: EnterCriticalSection.KERNEL32(0095070C,?,?,00898747,00952514), ref: 008A0202
Part of subcall function 008A01F8: LeaveCriticalSection.KERNEL32(0095070C,?,00898747,00952514), ref: 008A0235

Strings

Variable must be of type 'Object'., xrefs: 00907C3A
G, xrefs: 00907C7F
5, xrefs: 00907C78

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 74eee41ac137f9ec28de0af9c9c34e4fbd0763e938dbea66e3170a270de72b08
Instruction ID: 72aeb5441c1d2cd46e35cba68fa043e6fbea041c68f39476d237e1ae2ea6ebbf
Opcode Fuzzy Hash: 74eee41ac137f9ec28de0af9c9c34e4fbd0763e938dbea66e3170a270de72b08
Instruction Fuzzy Hash: B9919A70A04209EFCB14EF98D8819BEB7B5FF49310F148459F846AB2D2DB71AE81CB51

Function 008E2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008EB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008E21D0,?,?,00000034,00000800,?,00000034), ref: 008EB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 008E2760

Part of subcall function 008EB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008E21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 008EB3F8

Part of subcall function 008EB32A: GetWindowThreadProcessId.USER32(?,?), ref: 008EB355
Part of subcall function 008EB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,008E2194,00000034,?,?,00001004,00000000,00000000), ref: 008EB365
Part of subcall function 008EB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,008E2194,00000034,?,?,00001004,00000000,00000000), ref: 008EB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008E27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008E281A

Strings

@, xrefs: 008E2832

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 6e9c9a862e1a8e598f978f1c990c8ec9c77c31d881a38d28fb8f7e6aac189671
Instruction ID: 2e7800529742407eb754b01d8f0f1028c9c96caf595f414bef8b146b6b228c6d
Opcode Fuzzy Hash: 6e9c9a862e1a8e598f978f1c990c8ec9c77c31d881a38d28fb8f7e6aac189671
Instruction Fuzzy Hash: 26411D72900218BFDB10DBA9CD46ADEBBB8FF0A700F104055FA55B7181DB706E45CBA1

Function 008B172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 008B1769
_free.LIBCMT ref: 008B1834
_free.LIBCMT ref: 008B183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 008B1760, 008B1767, 008B1796, 008B17CE

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: ec13a0e81c84c12ab6dec53dfd9a2407110248ce2d99e9ef7d9bc5ecbc43845c
Instruction ID: ddba342ff9c5e9a58590e9856f3e6a5eb6ef518c31694187e4a2741bb905d48e
Opcode Fuzzy Hash: ec13a0e81c84c12ab6dec53dfd9a2407110248ce2d99e9ef7d9bc5ecbc43845c
Instruction Fuzzy Hash: 96318E71A44218ABDF21DF999889EDEBBFCFB85310F504166F814DB311DA708E40DB91

Function 008EC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008EC306
DeleteMenu.USER32(?,00000007,00000000), ref: 008EC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00951990,00AD5768), ref: 008EC395

Strings

0, xrefs: 008EC2DF

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 53c067321636d91abb4d04e282b46e38aba478ea3c209dc7d5bec7d25492a5f4
Instruction ID: c83f7f55a2ddd82cd8f5b25d588049ae9d07a0a2962c28545a9f9cd3a2a92fb7
Opcode Fuzzy Hash: 53c067321636d91abb4d04e282b46e38aba478ea3c209dc7d5bec7d25492a5f4
Instruction Fuzzy Hash: 41418E71608381AFD720DF2AD844B5BBBA8FB86314F04861DF9A5D73D1D730A905CB62

Function 00914416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0091CC08,00000000,?,?,?,?), ref: 009144AA
GetWindowLongW.USER32 ref: 009144C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009144D7

Strings

SysTreeView32, xrefs: 0091447C

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: cfcb732d9b54c019aa6ec4643d50ac387f560d189743552a173bd04cea866852
Instruction ID: e7fa08f033c213ca666279565c3425ba940e702dcd29e6a72e2116a6adfe790d
Opcode Fuzzy Hash: cfcb732d9b54c019aa6ec4643d50ac387f560d189743552a173bd04cea866852
Instruction Fuzzy Hash: 01319A72314609ABDF209E38DC45BEA7BAAEB08334F204725F975A21E0D770AC909B50

Function 0090304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0090335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00903077,?,?), ref: 00903378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0090307A
_wcslen.LIBCMT ref: 0090309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00903106

Strings

255.255.255.255, xrefs: 00903095, 0090309A

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 74dc7423c998ac4a342cc36ecbbd9e5f75fa79a141682b8c17d547f705916e2e
Instruction ID: 341eeb10eb42ad59b1d1c2935616e05a910f6899a85399c53fa2c8d01054d73d
Opcode Fuzzy Hash: 74dc7423c998ac4a342cc36ecbbd9e5f75fa79a141682b8c17d547f705916e2e
Instruction Fuzzy Hash: 4731B0392042059FCB20CF29C485EAA77F8EF55318F24C499E8158B7D2DB72EE45C761

Function 00913EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00913F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00913F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00913F78

Strings

SysMonthCal32, xrefs: 00913F0B

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: f2be39259e1ca26ff02c878e9c58faf30685270ccf08df63c73bf365ead6fe95
Instruction ID: 06efe42a3f5ae2e07449aa92bfcfccb8452eb01e830fcb453001967ab6705c10
Opcode Fuzzy Hash: f2be39259e1ca26ff02c878e9c58faf30685270ccf08df63c73bf365ead6fe95
Instruction Fuzzy Hash: D121BC32610219BFEF218F94CC46FEA3B79EB88724F114214FA15BB1D0D6B1A891DB90

Function 00914653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00914705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00914713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0091471A

Strings

msctls_updown32, xrefs: 00914684

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: d26e6e718e4e84d429826a7da7729b7b637044370cb23924c22ed6b4215b22a2
Instruction ID: 06967de18fadb1b7150218a99c32b03b32ea3c023c94bc5594a90f5cedc403da
Opcode Fuzzy Hash: d26e6e718e4e84d429826a7da7729b7b637044370cb23924c22ed6b4215b22a2
Instruction Fuzzy Hash: 4A216DB5604209AFEB11DF68DCD1DA737ADEB9A7A8B040059FA00DB291CB70EC51DB61

Function 008E95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008E961D

Strings

#requireadmin, xrefs: 008E95D9
#OnAutoItStartRegister, xrefs: 008E95F3
#notrayicon, xrefs: 008E95B7

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 977c681e4c74fc384e9b716e43ca0307cde0a48c6e1f5f4564aad981f5f9902e
Instruction ID: 54b323c02ce2dd1cd3e989ae72c07c12ac2135ca19be156bb4b49930e9c6de24
Opcode Fuzzy Hash: 977c681e4c74fc384e9b716e43ca0307cde0a48c6e1f5f4564aad981f5f9902e
Instruction Fuzzy Hash: 7B216872204694A6D731BB2A9C02FBB73A8FFA3304F144426F989D7051EBD49D91C3A2

Function 009137B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00913840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00913850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00913876

Strings

Listbox, xrefs: 0091380F

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 079cd0494f7074f991952ef6df0151e1f7d4511d5bd835ac700a053d2c1b0a96
Instruction ID: 54041c3eef6e7573a72bceec3216abbb8918ca9f38e0eb889a1ce9b059fda8c2
Opcode Fuzzy Hash: 079cd0494f7074f991952ef6df0151e1f7d4511d5bd835ac700a053d2c1b0a96
Instruction Fuzzy Hash: E021AC72710218BBEF218F64CC81FEB377EEF89754F108124F9009B190C6719C9287A0

Function 008F49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008F4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 008F4A5C
SetErrorMode.KERNEL32(00000000,?,?,0091CC08), ref: 008F4AD0

Strings

%lu, xrefs: 008F4A6F

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 45b3d84b91efc86a2ad37ae259233359945b9d73a16b3f06048be62602b18a25
Instruction ID: 4ce46871df4c0deb3afe86ea6dd6b2e68cc146c99f006b88ae486232a14cfdd3
Opcode Fuzzy Hash: 45b3d84b91efc86a2ad37ae259233359945b9d73a16b3f06048be62602b18a25
Instruction Fuzzy Hash: A7317175A40109AFDB10DF68C885EAA7BF8FF09308F1480A9F909DB252D771ED45CB62

Function 009141EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0091424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00914264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00914271

Strings

msctls_trackbar32, xrefs: 00914226

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 42ea53af47dfa4758ca2f335f185dc7f697e863bf6edcd8d76cb9509986d4aef
Instruction ID: 3497c9b96093cf58a7e0e76c3de07d008dd0ba0e170a340492d9c9213d0ed3f5
Opcode Fuzzy Hash: 42ea53af47dfa4758ca2f335f185dc7f697e863bf6edcd8d76cb9509986d4aef
Instruction Fuzzy Hash: AA11E031340208BEEF205E69CC06FEB3BACEF99B64F110524FA55E20A0D271DCA19B20

Function 008E2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00886B57: _wcslen.LIBCMT ref: 00886B6A

Part of subcall function 008E2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 008E2DC5
Part of subcall function 008E2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 008E2DD6
Part of subcall function 008E2DA7: GetCurrentThreadId.KERNEL32 ref: 008E2DDD
Part of subcall function 008E2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 008E2DE4

GetFocus.USER32 ref: 008E2F78

Part of subcall function 008E2DEE: GetParent.USER32(00000000), ref: 008E2DF9

GetClassNameW.USER32(?,?,00000100), ref: 008E2FC3
EnumChildWindows.USER32(?,008E303B), ref: 008E2FEB

Strings

%s%d, xrefs: 008E2FFF

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: ecfcd3bd9d287b4fdff2d6a8b422bfa4a5ab0d27f900efd0af010370e3480990
Instruction ID: 42512cadde227bf299fcdd307a596deed0a8ea8aa0735b79745aebef581cac3f
Opcode Fuzzy Hash: ecfcd3bd9d287b4fdff2d6a8b422bfa4a5ab0d27f900efd0af010370e3480990
Instruction Fuzzy Hash: 8111D2B17002496BCF047F698C89EEE376AFF85318F048075BA09EB252EE309D45CB61

Function 00915882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009158C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009158EE
DrawMenuBar.USER32(?), ref: 009158FD

Strings

0, xrefs: 0091588F

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 35a7797234d35ea42aefcf8ceb9f6f8d176bb1f80b7bd4eb57b1f8f736e09079
Instruction ID: 752353551753424816ec0870401e0967acd0f588ebe7d188091e53d1094f26da
Opcode Fuzzy Hash: 35a7797234d35ea42aefcf8ceb9f6f8d176bb1f80b7bd4eb57b1f8f736e09079
Instruction Fuzzy Hash: BD018B31604218EFDB219F11DC44BEEBBB9FB85360F158099F849DA161DB308A80EF22

Function 008DD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 008DD3BF
FreeLibrary.KERNEL32 ref: 008DD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 008DD3B9
X64, xrefs: 008DD2A8

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: f134a448645b6c5ad0b9077e295dc32c0e3ee611629af4618825ff8d29164343
Instruction ID: 6cb9b6e70bf09246b2052eb944dbb8cf5ac5cac172346774cef45d13dd25bf85
Opcode Fuzzy Hash: f134a448645b6c5ad0b9077e295dc32c0e3ee611629af4618825ff8d29164343
Instruction Fuzzy Hash: 29F055B1AC9B29ABD73962108C14EAE7320FF00705B58831BE802E6345E720CC858282

Function 008E007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e489ef25ec77998d6baa9b1f44921eca80a5f7ccc83227dfb1c153d7121c26
Instruction ID: 909d21c6ed604434a3eb4070ad4b6a178cb793947cd063a535c99166f679d736
Opcode Fuzzy Hash: f7e489ef25ec77998d6baa9b1f44921eca80a5f7ccc83227dfb1c153d7121c26
Instruction Fuzzy Hash: 76C16B75A0024AEFCB15CFA9C894AAEB7B5FF49304F208998E505EB251D771ED81CF90

Function 008B3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 008B3F0B
__alldvrm.LIBCMT ref: 008B410C
__alldvrm.LIBCMT ref: 008B412E

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 68dab752abb6f3f92f29355bb6d4b19ed5f82c6dda17744e272832c633c9bdb4
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 40A12371E006869FEB219E18C892BEABBE4FF62350F18416DE585DB383C6348982C751

Function 0090342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00903459
CoUninitialize.OLE32 ref: 00903463
VariantInit.OLEAUT32(?), ref: 0090346E
VariantClear.OLEAUT32(?), ref: 0090371B

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: c9d152a493746c0f15619b21c04e39e44987e8766d27083cb92dc736a5a4b28a
Instruction ID: d0de28f001d3a1b1f1315eca64ff258782ff5a52f7bb37de2d858888b045c02a
Opcode Fuzzy Hash: c9d152a493746c0f15619b21c04e39e44987e8766d27083cb92dc736a5a4b28a
Instruction Fuzzy Hash: 78A12D756047009FCB10EF28C585A2AB7E9FF89714F148859F99ADB3A2DB31ED01CB52

Function 008E0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0091FC08,?), ref: 008E05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0091FC08,?), ref: 008E0608
CLSIDFromProgID.OLE32(?,?,00000000,0091CC40,000000FF,?,00000000,00000800,00000000,?,0091FC08,?), ref: 008E062D
_memcmp.LIBVCRUNTIME ref: 008E064E

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: f21b7aa26118e129b293949ec0df95996231c5f0fb1f6c73e483b3cc8c5e805c
Instruction ID: b142c0a43cd926422dd677fb69ef2233395d8147e232d3fcf6e108e39e7939e2
Opcode Fuzzy Hash: f21b7aa26118e129b293949ec0df95996231c5f0fb1f6c73e483b3cc8c5e805c
Instruction Fuzzy Hash: 1A81E775A00209AFCB04DF94C984EEEB7B9FF89315B204598E516EB250DB71AE46CF60

Function 0090A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0090A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0090A6BA

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

Process32NextW.KERNEL32(00000000,?), ref: 0090A79C
CloseHandle.KERNEL32(00000000), ref: 0090A7AB

Part of subcall function 0089CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,008C3303,?), ref: 0089CE8A

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 37418c436fa3e665782d150c78394de725b13babc453641503bab9776f3ba6e2
Instruction ID: 35fc65af19946de1e1c5003d599c30733794390bcc1af6bdecc32f1461264927
Opcode Fuzzy Hash: 37418c436fa3e665782d150c78394de725b13babc453641503bab9776f3ba6e2
Instruction Fuzzy Hash: EF514C71508311AFD714EF28D886A6BBBE8FF89754F04892DF585D7291EB30E904CB92

Function 008C1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008C14C0

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4cf7ed98a3de7da4e458eab374baa6e19688c006998730cc7ab894dca4143261
Instruction ID: a75d3a3b05225c6caf35589e2dd88bdf76c63300d9d978ef4cd1b3eedd10211b
Opcode Fuzzy Hash: 4cf7ed98a3de7da4e458eab374baa6e19688c006998730cc7ab894dca4143261
Instruction Fuzzy Hash: 5F410931600504ABEF296AFC8CC9FAE3AB6FF43370F244629F519D6693E674C8415267

Function 00916278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009162E2
ScreenToClient.USER32(?,?), ref: 00916315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00916382

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b0838ff4b834b1286241aca43a4b62a574b381b199e9250811bb8bfb0246aa78
Instruction ID: efddbb7d4c9e7d20ff880c6e55182d06ad593c37b5b626167a016f56628c490e
Opcode Fuzzy Hash: b0838ff4b834b1286241aca43a4b62a574b381b199e9250811bb8bfb0246aa78
Instruction Fuzzy Hash: 98510974A00209AFDF14DF68D980AEE7BB9FB45360F108569F865DB2A0D770ED82DB50

Function 00901AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00901AFD
WSAGetLastError.WSOCK32 ref: 00901B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00901B8A
WSAGetLastError.WSOCK32 ref: 00901B94

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 771d2d37794c8cc3cc481abe3ebe58d2d1932257d2c8e60311b538478a41e5ee
Instruction ID: b300b0a8d89892931f0bc99ebe361b6d4f8f212a409db4e0f07d3d8b26a6c640
Opcode Fuzzy Hash: 771d2d37794c8cc3cc481abe3ebe58d2d1932257d2c8e60311b538478a41e5ee
Instruction Fuzzy Hash: 8E419F74640200AFE720AF28C886F6A77E5EB44718F548498FA1A9F7D2D772ED41CB91

Function 008BB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f5e66055777da0880f3cc2bf31b8a5e003f30aee1c85b29598b1f36828a6be
Instruction ID: 844303fc3ab9b277b1e228a7644f597eebf71fa4b64a0fd2c13157b1387eb6ec
Opcode Fuzzy Hash: 91f5e66055777da0880f3cc2bf31b8a5e003f30aee1c85b29598b1f36828a6be
Instruction Fuzzy Hash: 62410475A00704AFD724AF7CCC45BAABBA9FB89710F10852EF152DB782D7B1D9018785

Function 008F56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 008F5783
GetLastError.KERNEL32(?,00000000), ref: 008F57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008F57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008F57FA

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: fed0018a4bd58d27f985694cd8bf6b8bb27adc26f7d614017bf0e9a3054dacfb
Instruction ID: 956da3ce9f3a54af8544136d064e844c9dda234e96a02d04d585ba7fe4b5b561
Opcode Fuzzy Hash: fed0018a4bd58d27f985694cd8bf6b8bb27adc26f7d614017bf0e9a3054dacfb
Instruction Fuzzy Hash: 7C411C35610614DFCB11EF19C544A5ABBF1FF89720B188498E95ADB762CB30FD40CB92

Function 008BD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,008A6D71,00000000,00000000,008A82D9,?,008A82D9,?,00000001,008A6D71,8BE85006,00000001,008A82D9,008A82D9), ref: 008BD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008BD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 008BD9AB
__freea.LIBCMT ref: 008BD9B4

Part of subcall function 008B3820: RtlAllocateHeap.NTDLL(00000000,?,00951444,?,0089FDF5,?,?,0088A976,00000010,00951440,008813FC,?,008813C6,?,00881129), ref: 008B3852

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 57cd00746b1d29e8876be277bd4514c07c70d791b0caa26bf6739ba885773b10
Instruction ID: dc5d934bb8e1533633986ea8e1f5645022a9f1c60d64fe5363ef95f91380b926
Opcode Fuzzy Hash: 57cd00746b1d29e8876be277bd4514c07c70d791b0caa26bf6739ba885773b10
Instruction Fuzzy Hash: 4F31AB72A0060AABDF249F68DC45EEE7FA5FB41310B054168FC04EA2A0EB35DD55CBA1

Function 009152C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00915352
GetWindowLongW.USER32(?,000000F0), ref: 00915375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00915382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009153A8

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: a5b29b62df92bb2d685142b138eb804203070122c4c9dbc949abe2fa8422294f
Instruction ID: e635b1d591247686fed94c80d975952475de9239077d82517361e560af5bf32b
Opcode Fuzzy Hash: a5b29b62df92bb2d685142b138eb804203070122c4c9dbc949abe2fa8422294f
Instruction Fuzzy Hash: 4A31C170B65A0CEFEB249A14CC15BE83769AB843D0F9B4102FA30971E1C7B499C2EB41

Function 008EAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 008EABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 008EAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 008EAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 008EACC6

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c1b514581bab8804ef9d322355fc16b66a851d758342543d4cb4539361e9ab73
Instruction ID: 2a566acb9456c1cafcfef1815e012b3cabc2c4f7f583201a520e0c33960b1b2e
Opcode Fuzzy Hash: c1b514581bab8804ef9d322355fc16b66a851d758342543d4cb4539361e9ab73
Instruction Fuzzy Hash: 26312870A44398AFEF38CB66CC047FA7BA5FB86B10F28421AE495D21D0C374A9859753

Function 00917674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0091769A
GetWindowRect.USER32(?,?), ref: 00917710
PtInRect.USER32(?,?,00918B89), ref: 00917720
MessageBeep.USER32(00000000), ref: 0091778C

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 946d9230d940d9ed090db4bd53f92355c12719e0792f069827223cfb4361f8e9
Instruction ID: 930346727724c1a189a31811851dfafbc54a2258117ce7d78985303f3d91cf79
Opcode Fuzzy Hash: 946d9230d940d9ed090db4bd53f92355c12719e0792f069827223cfb4361f8e9
Instruction Fuzzy Hash: F2417A74B0921A9FCB01CF99D894FE9F7F9BB49315F1581A8E8149B2A1C730A981DB90

Function 009116DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009116EB

Part of subcall function 008E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008E3A57
Part of subcall function 008E3A3D: GetCurrentThreadId.KERNEL32 ref: 008E3A5E
Part of subcall function 008E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008E25B3), ref: 008E3A65

GetCaretPos.USER32(?), ref: 009116FF
ClientToScreen.USER32(00000000,?), ref: 0091174C
GetForegroundWindow.USER32 ref: 00911752

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 569419fab99a9f687943ff4d23032273ef884fadde595f4bce2a019f5bef0fa8
Instruction ID: 10154b6ed062e1a1e4eec4dcf735ae68eb976d0f05e6f718a33fdd826ee106ec
Opcode Fuzzy Hash: 569419fab99a9f687943ff4d23032273ef884fadde595f4bce2a019f5bef0fa8
Instruction Fuzzy Hash: 68313E71E00149AFDB00EFA9C885CEEBBFDFF48304B5080A9E515E7251EA319E45CBA1

Function 008EDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00887620: _wcslen.LIBCMT ref: 00887625

_wcslen.LIBCMT ref: 008EDFCB
_wcslen.LIBCMT ref: 008EDFE2
_wcslen.LIBCMT ref: 008EE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 008EE018

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 42d3754e1651dd45c9c9e772d82564b94c4ab70ebeffcac369f689923cf30450
Instruction ID: 080ac4c957e3b1b2deed5f878ad8c2a641acb9c0d5de4261b319b7bdd2c62c18
Opcode Fuzzy Hash: 42d3754e1651dd45c9c9e772d82564b94c4ab70ebeffcac369f689923cf30450
Instruction Fuzzy Hash: 6E21A371900614AFDF10EFA8D981BAEB7F8FF86750F144065E905FB245D6709E40CBA2

Function 00918FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2

GetCursorPos.USER32(?), ref: 00919001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,008D7711,?,?,?,?,?), ref: 00919016
GetCursorPos.USER32(?), ref: 0091905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,008D7711,?,?,?), ref: 00919094

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 33b2e9ed1d395e9b19ef2985605db1244b5f62eed15f828ffac6aa55bbba4905
Instruction ID: 1ffc8d716bb34fc51218f9e83dfac630a9e595242a05d6609db5edf234f0e223
Opcode Fuzzy Hash: 33b2e9ed1d395e9b19ef2985605db1244b5f62eed15f828ffac6aa55bbba4905
Instruction Fuzzy Hash: 83219F35711118EFCB25CF99CC68EEA7BB9EB49361F044069F90587261C3359D90EB60

Function 008ED2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0091CB68), ref: 008ED2FB
GetLastError.KERNEL32 ref: 008ED30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 008ED319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0091CB68), ref: 008ED376

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 0df307a847aea69c0f446c629e90db74ab8296ef73481cc963818d7514c48c09
Instruction ID: c893fe436b23aa079b46667c3b51c99a3bebd3818672ea8c2cd496633502e29c
Opcode Fuzzy Hash: 0df307a847aea69c0f446c629e90db74ab8296ef73481cc963818d7514c48c09
Instruction Fuzzy Hash: 952180746483419F8310EF29C8814AAB7E4FE56324F504A1DF499D73E1E730D94ACB93

Function 008E1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008E1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008E102A
Part of subcall function 008E1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008E1036
Part of subcall function 008E1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008E1045
Part of subcall function 008E1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008E104C
Part of subcall function 008E1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008E1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008E15BE
_memcmp.LIBVCRUNTIME ref: 008E15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008E1617
HeapFree.KERNEL32(00000000), ref: 008E161E

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 7a95649e6852162e9e9b2d6058921dd669db45c4f932d5f24029a669e0024611
Instruction ID: b9aa53000584d452a6d57383bb9243b8645ebc9627c074f538161882cdbb6e62
Opcode Fuzzy Hash: 7a95649e6852162e9e9b2d6058921dd669db45c4f932d5f24029a669e0024611
Instruction Fuzzy Hash: A0215571E40208AFDF00DFA6C949BEEB7B8FF56354F088459E445EB251E730AA05DBA0

Function 00912782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0091280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00912824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00912832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00912840

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 48cad5293204ec990d5518bda408b35bb3faa78dc738e0240030425a533d601e
Instruction ID: 3d8af9183c1bb04eef7987e9b0503b39c80ab26f1b5bb04b5c175dcc23db121a
Opcode Fuzzy Hash: 48cad5293204ec990d5518bda408b35bb3faa78dc738e0240030425a533d601e
Instruction Fuzzy Hash: C821A131308519AFD714AB24C845FEA7B99EF86324F148158F426CB6E2CB75FC92CB91

Function 008E78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 008E8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,008E790A,?,000000FF,?,008E8754,00000000,?,0000001C,?,?), ref: 008E8D8C
Part of subcall function 008E8D7D: lstrcpyW.KERNEL32(00000000,?,?,008E790A,?,000000FF,?,008E8754,00000000,?,0000001C,?,?,00000000), ref: 008E8DB2
Part of subcall function 008E8D7D: lstrcmpiW.KERNEL32(00000000,?,008E790A,?,000000FF,?,008E8754,00000000,?,0000001C,?,?), ref: 008E8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,008E8754,00000000,?,0000001C,?,?,00000000), ref: 008E7923
lstrcpyW.KERNEL32(00000000,?,?,008E8754,00000000,?,0000001C,?,?,00000000), ref: 008E7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,008E8754,00000000,?,0000001C,?,?,00000000), ref: 008E7984

Strings

cdecl, xrefs: 008E797B

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 00cf106d1b89f4d76b5950f9b7208359d8eeb40dc2000836746f2e137c709a83
Instruction ID: 8f39b2f715b8fddfad99b29a0851448d99e019ed07b5bfe254de3254b5c1f281
Opcode Fuzzy Hash: 00cf106d1b89f4d76b5950f9b7208359d8eeb40dc2000836746f2e137c709a83
Instruction Fuzzy Hash: 1811293A304381AFCB156F3ACC44E7A77A5FF86350B10802AF906CB265EB35D801D751

Function 00917CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00917D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00917D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00917D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,008FB7AD,00000000), ref: 00917D6B

Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 91c9e6096b34af5c2a69209ce74ea5cd986a6f7d91ed026f2d955bbad136026e
Instruction ID: 007a09edfd3778ecf72f0d59d2c49b452009a18482aff39cf82e905592225be5
Opcode Fuzzy Hash: 91c9e6096b34af5c2a69209ce74ea5cd986a6f7d91ed026f2d955bbad136026e
Instruction Fuzzy Hash: 9311C07531861AAFCB109F68EC04AE67BA9AF45364F158724F835C72F0D7308990DB90

Function 00915660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009156BB
_wcslen.LIBCMT ref: 009156CD
_wcslen.LIBCMT ref: 009156D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00915816

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 42b3ee252756f22ca59bf9e7699badea4cbb528f49b051e185c2f2df1c4601ca
Instruction ID: 01ae2534a09b5ffa3d11324c8b40c3937207042aeaf6f4f787e73eb40f11859b
Opcode Fuzzy Hash: 42b3ee252756f22ca59bf9e7699badea4cbb528f49b051e185c2f2df1c4601ca
Instruction Fuzzy Hash: 0011E17170060CDADF209F66CC81AEE77ACEF913A4F524426F915D6091E7748AC0CBA1

Function 008B1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd99c9ee4a2b85d23b61ba2ab79835549747ad6acae23aa149ae6cce89df91ff
Instruction ID: 8df9655e24194d40591aea2fddb831e0052e20c45a12425f76f6927ae33a49a0
Opcode Fuzzy Hash: dd99c9ee4a2b85d23b61ba2ab79835549747ad6acae23aa149ae6cce89df91ff
Instruction Fuzzy Hash: 9401ADB220961A7EFA2126786CD5FE76A1CFF817B8F780325F521E93D2DB608C009160

Function 008E1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 008E1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008E1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008E1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008E1A8A

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4811b50233b8ea08c3d36cd5d8f5b2c0944b351eb99f1632f85b321c84323a29
Instruction ID: 55626c98e512d1fc36bcbca77656d17ff3acff50aaaa0a402a94f19c7fd3d643
Opcode Fuzzy Hash: 4811b50233b8ea08c3d36cd5d8f5b2c0944b351eb99f1632f85b321c84323a29
Instruction Fuzzy Hash: 83112A3A901229FFEF109BA5C985FADBB78FB04750F2000A1EA00B7290D7716E50DB94

Function 008EE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008EE1FD
MessageBoxW.USER32(?,?,?,?), ref: 008EE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 008EE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008EE24D

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 45b4d4511db5a025af952782f13bd924a23fce761acf204c32463c88474b05c3
Instruction ID: 16fbe46ac6deffde204d78cc83821903585b423eaea991f0844385267e37e708
Opcode Fuzzy Hash: 45b4d4511db5a025af952782f13bd924a23fce761acf204c32463c88474b05c3
Instruction Fuzzy Hash: 17112BB6E18358BBC7019FA99C05BDE7FACEB46311F008215F924E3290D2B0CD04D7A0

Function 008AD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,008ACFF9,00000000,00000004,00000000), ref: 008AD218
GetLastError.KERNEL32 ref: 008AD224
__dosmaperr.LIBCMT ref: 008AD22B
ResumeThread.KERNEL32(00000000), ref: 008AD249

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: fc8941fd871ee98d3f3e9e8cb0f6e56ccc6012a2c1cd7e39e3a787ca1b60b7f4
Instruction ID: 9cfe09f81ffd9c3e32d5e909a491bf1efe2b34243035b0eddab892e0649bb769
Opcode Fuzzy Hash: fc8941fd871ee98d3f3e9e8cb0f6e56ccc6012a2c1cd7e39e3a787ca1b60b7f4
Instruction Fuzzy Hash: 0B012676504308BBE7106BA9DC09BAE7A68FF83330F104229F926D29D0DFB0D801C6A1

Function 00919EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00899BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00899BB2

GetClientRect.USER32(?,?), ref: 00919F31
GetCursorPos.USER32(?), ref: 00919F3B
ScreenToClient.USER32(?,?), ref: 00919F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00919F7A

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: f9fa5a3dc8a4682e346c44dd54a0db631b75426d509da87695640173d89ddf77
Instruction ID: d1a9205354bb1a57bb096fab1fff1710e76f915989ae488e1b44abd70e7d71ed
Opcode Fuzzy Hash: f9fa5a3dc8a4682e346c44dd54a0db631b75426d509da87695640173d89ddf77
Instruction Fuzzy Hash: 8B113672A0421ABBDB10DFA8D855AEE77B9FB45311F404455F911E3240D330BEC2DBA1

Function 0088600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0088604C
GetStockObject.GDI32(00000011), ref: 00886060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0088606A

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: d926bf662e995624b8a8d0dcfbf3c08c21d295e07289df8396571ccbae460ee4
Instruction ID: e689921893cac10b195ad7cec285553e1c2141a4802d480b04376e52063cbe46
Opcode Fuzzy Hash: d926bf662e995624b8a8d0dcfbf3c08c21d295e07289df8396571ccbae460ee4
Instruction Fuzzy Hash: C211C4B2205908BFEF125F94DC54FEA7B69FF183A4F004105FA04A2120D732DC60EB91

Function 008A3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 008A3B56

Part of subcall function 008A3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 008A3AD2
Part of subcall function 008A3AA3: ___AdjustPointer.LIBCMT ref: 008A3AED

_UnwindNestedFrames.LIBCMT ref: 008A3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 008A3B7C
CallCatchBlock.LIBVCRUNTIME ref: 008A3BA4

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: cbd31d306e44f46b4bb01f8b2e77d4f798fb6ccaba96133078a071035dbf21be
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 2B014C32100148BBEF125E99DC42EEB7F6EFF8A764F044014FE48A6521C772E961DBA1

Function 008B3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008813C6,00000000,00000000,?,008B301A,008813C6,00000000,00000000,00000000,?,008B328B,00000006,FlsSetValue), ref: 008B30A5
GetLastError.KERNEL32(?,008B301A,008813C6,00000000,00000000,00000000,?,008B328B,00000006,FlsSetValue,00922290,FlsSetValue,00000000,00000364,?,008B2E46), ref: 008B30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,008B301A,008813C6,00000000,00000000,00000000,?,008B328B,00000006,FlsSetValue,00922290,FlsSetValue,00000000), ref: 008B30BF

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 48cd93a4e865bec8153790bb6f6a26dd1e71e92cdf7a5b1e05e7fe8f5cc04f4d
Instruction ID: d1239b2918e4cbbac7e217198895567082d08f780c299b47c254500ef7f4365c
Opcode Fuzzy Hash: 48cd93a4e865bec8153790bb6f6a26dd1e71e92cdf7a5b1e05e7fe8f5cc04f4d
Instruction Fuzzy Hash: 6A01D476759A26ABCB315A79AC449D77B98FF45B61B204620F916E3240CB21D902C6E0

Function 008E7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 008E747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 008E7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008E74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008E74CA

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 8ac0c077d15ede32f758c9049d10faa022a485f255b268a7cec988c53b3a059f
Instruction ID: 202aa587b4c20e2ede52d8ff00e0b5ce4c1d011a29251809d7f007be8a755620
Opcode Fuzzy Hash: 8ac0c077d15ede32f758c9049d10faa022a485f255b268a7cec988c53b3a059f
Instruction Fuzzy Hash: 34118BB5349359ABE7208F15EC08B927BFCFB01B08F108569AA16DA1D1D7B0E944DB64

Function 008EB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,008EACD3,?,00008000), ref: 008EB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,008EACD3,?,00008000), ref: 008EB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,008EACD3,?,00008000), ref: 008EB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,008EACD3,?,00008000), ref: 008EB126

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 2ac21fd5ae344c5fdc3d101ad3f253a98fc9d75369fcf2204be0aa1bb5427ee4
Instruction ID: 997ffddad1a763cb1ad929724018e4092ba1dd1c34f7e8734a90f4c77071fddf
Opcode Fuzzy Hash: 2ac21fd5ae344c5fdc3d101ad3f253a98fc9d75369fcf2204be0aa1bb5427ee4
Instruction Fuzzy Hash: CF113C71D4565DEBCF00AFE5E9986EFBB78FF0A721F104085D941B2141DB305550EB51

Function 00917E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00917E33
ScreenToClient.USER32(?,?), ref: 00917E4B
ScreenToClient.USER32(?,?), ref: 00917E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00917E8A

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 38cdd0c5e2abd54d32a69998a1eb62db92877706a9980e574f688624d53c9fe0
Instruction ID: 8c5b9bdc3b6cf1c7e6a51915e94fb2f4715dfb6aac3b63a1e6959f2afa2d59f5
Opcode Fuzzy Hash: 38cdd0c5e2abd54d32a69998a1eb62db92877706a9980e574f688624d53c9fe0
Instruction Fuzzy Hash: 171156B9E0420AAFDB41CF98C8849EEBBF9FF08310F509056E915E3210D775AA54DF50

Function 008E2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 008E2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 008E2DD6
GetCurrentThreadId.KERNEL32 ref: 008E2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 008E2DE4

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: ebac3ab11af8f663194d7d885039408a0384becfd9f53f368fbd6afbddc0d731
Instruction ID: 6f93b8a646daf39b2559caf7dfc3542c751f58e9bc85b43e9a684abaea3bdd08
Opcode Fuzzy Hash: ebac3ab11af8f663194d7d885039408a0384becfd9f53f368fbd6afbddc0d731
Instruction Fuzzy Hash: 28E06DB17992287AD7201B639C0DEEB3E6CFB43BA1F404215B205D1080DAA08840D6B0

Function 00918863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00899639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00899693
Part of subcall function 00899639: SelectObject.GDI32(?,00000000), ref: 008996A2
Part of subcall function 00899639: BeginPath.GDI32(?), ref: 008996B9
Part of subcall function 00899639: SelectObject.GDI32(?,00000000), ref: 008996E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00918887
LineTo.GDI32(?,?,?), ref: 00918894
EndPath.GDI32(?), ref: 009188A4
StrokePath.GDI32(?), ref: 009188B2

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 5e4d0faef48b1b74809e19ddca5156b6eeafee34f922f443d9054589cd49a976
Instruction ID: 141f8a60f750cbd382cf04169ab2a72871984df842ea86a0301719b73d36d1ad
Opcode Fuzzy Hash: 5e4d0faef48b1b74809e19ddca5156b6eeafee34f922f443d9054589cd49a976
Instruction Fuzzy Hash: B5F05E36299258FADF126F94AC0AFCE3F59AF0A311F048040FA11650E1C7755551EFE9

Function 008998B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008998CC
SetTextColor.GDI32(?,?), ref: 008998D6
SetBkMode.GDI32(?,00000001), ref: 008998E9
GetStockObject.GDI32(00000005), ref: 008998F1

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 9c08eb4720aae3c1676de20aa383c64b8a7c3d1676083ff6a94bac95afb9519d
Instruction ID: 217bf6244ecd7abfb4b172e6c479a942d77dac9fa432db72c5ae3f8d6b558f6a
Opcode Fuzzy Hash: 9c08eb4720aae3c1676de20aa383c64b8a7c3d1676083ff6a94bac95afb9519d
Instruction Fuzzy Hash: B1E03971398280AADB215B78AC09BE83F21EB12336F14C21AF6FA980E1C7714640EB11

Function 008E162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 008E1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008E11D9), ref: 008E163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008E11D9), ref: 008E1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008E11D9), ref: 008E164F

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 39b2b260552890a0cf351f2f53790a5dc30c281b7b38b186168d4f9589befcbc
Instruction ID: b40df5f69bf02d5d89ae1d577b5d7e370fe622c4611050a747db7fc1145345a9
Opcode Fuzzy Hash: 39b2b260552890a0cf351f2f53790a5dc30c281b7b38b186168d4f9589befcbc
Instruction Fuzzy Hash: DDE08CB2796221EBDB201FA1AE0DBC63B7CFF59792F14CC08F245DA090E6348541DB60

Function 008DD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 008DD858
GetDC.USER32(00000000), ref: 008DD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008DD882
ReleaseDC.USER32(?), ref: 008DD8A3

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 636941c8e8bf024d4740e5fe04c5f8f10fac5538dc9a3e1f337c1ae34d99549b
Instruction ID: d79da5f5b72a7a31798628f6482209af1ba55f1b975e74dc15b0ee80cd737485
Opcode Fuzzy Hash: 636941c8e8bf024d4740e5fe04c5f8f10fac5538dc9a3e1f337c1ae34d99549b
Instruction Fuzzy Hash: D8E01AB4A54209EFCF41AFA0D90C6ADBBB1FB08350F14D419E80AE7250CB385901FF50

Function 008DD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 008DD86C
GetDC.USER32(00000000), ref: 008DD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008DD882
ReleaseDC.USER32(?), ref: 008DD8A3

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b1cd014b932f0bb1017aeb8ffce9e7e57ef199bedbdb4b558ead68bb914a3ee0
Instruction ID: 92c47614feaadd4f28ad3e7c0e5db1c14b1aeff1449fd72a969ccb66713a8629
Opcode Fuzzy Hash: b1cd014b932f0bb1017aeb8ffce9e7e57ef199bedbdb4b558ead68bb914a3ee0
Instruction Fuzzy Hash: D9E012B4E58209EFCF40AFA0D80C6ADBBB1FB08350B149008E90AE7250CB385A01EF50

Function 008F4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00887620: _wcslen.LIBCMT ref: 00887625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 008F4ED4

Strings

LPT, xrefs: 008F4DFB
*, xrefs: 008F4E10

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: e4e6249224fd4bde16aa63cd95c1899731c2e8bbecd23ac81fc06452dd521f59
Instruction ID: 16782eab6013530a53e7013d0b613b51c8a51ece05393b0f7aa9838de994f4d1
Opcode Fuzzy Hash: e4e6249224fd4bde16aa63cd95c1899731c2e8bbecd23ac81fc06452dd521f59
Instruction Fuzzy Hash: 09913D75A002089FCB14DF68C484EAABBF1FF45318F189099E54ADB362DB31ED85CB91

Function 008AE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 008AE30D

Strings

pow, xrefs: 008AE2E5, 008AE302

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 93df5703e5282d8914edb16d00e61be9127704b7a154a2bdda008838fbbe9309
Instruction ID: 683e303d02fe61074f8336874baa3e4e6c8cf4e25666e10737478d289acc5c69
Opcode Fuzzy Hash: 93df5703e5282d8914edb16d00e61be9127704b7a154a2bdda008838fbbe9309
Instruction Fuzzy Hash: D1515B61A1C70696EB257718C9013F93BA4FF81B80F344DA8E096C27ADEB348C959A46

Function 0089E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0089E1B1

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: d2fbe34389b350fafdc4b88924cbf629790b775be196d17f3e583b16aaf1fb5b
Instruction ID: 4a9939e7fc3a79cb8b0b3846cec73a964f71782679485ecf3b84b62771c5d08b
Opcode Fuzzy Hash: d2fbe34389b350fafdc4b88924cbf629790b775be196d17f3e583b16aaf1fb5b
Instruction Fuzzy Hash: 7F51FF7590424ADFDF25FFA8C481ABA7BA8FF15310F284156F891DF290DA309D42CBA1

Function 0089F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0089F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0089F2BB

Strings

@, xrefs: 0089F2AF

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 688c81f92f2a81f04939300ebafcb7bc46cdff31c7d7feefd07adfd4788cb0d7
Instruction ID: d50aa858f7faef60eaef66e4d012281af54e627abd0c23015e3968af73d6cbf7
Opcode Fuzzy Hash: 688c81f92f2a81f04939300ebafcb7bc46cdff31c7d7feefd07adfd4788cb0d7
Instruction Fuzzy Hash: FC51397141C7449BE320AF14E886BABB7F8FF84304F91885DF299911A5EB708529CB67

Function 00905745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 009057E0
_wcslen.LIBCMT ref: 009057EC

Strings

CALLARGARRAY, xrefs: 009057E6, 009057EB

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 4cb21f1aaa846e17dd69f0d3c7d82d57a6c9a4cf214682ad028a0e85a87ae696
Instruction ID: aad8f736a9b8ea95609a5785acd6d032fdea81a7fe842f6e3359c32b28ff76d9
Opcode Fuzzy Hash: 4cb21f1aaa846e17dd69f0d3c7d82d57a6c9a4cf214682ad028a0e85a87ae696
Instruction Fuzzy Hash: AB419F71A006099FCB14EFA9C8819BEBBF9FF59314F158069E905E72A1E7309D81CF91

Function 008FD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008FD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008FD13A

Strings

|, xrefs: 008FD10B

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: b11cf2aab0199340f0f8a577942739e750be8a800c1ae790d679be92f30dd94c
Instruction ID: 59f5c339be94f8e4ce18100d05ee0c9578b324890aa2df0e427ee09960bcb0f2
Opcode Fuzzy Hash: b11cf2aab0199340f0f8a577942739e750be8a800c1ae790d679be92f30dd94c
Instruction Fuzzy Hash: 0F311A71D00219ABDF15EFA8CC85AEEBFBAFF05300F100019F915E6162E731AA56DB61

Function 0091356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00913621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0091365C

Strings

static, xrefs: 009135BC

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ec4bfb8c41d43a3dd7627c42041fc6198db5c77cad1bbfe7a693739f7331cb19
Instruction ID: 7991707a95feb25cb0a1634d15c2d2a7601fbb216da6627133ab3907b8287089
Opcode Fuzzy Hash: ec4bfb8c41d43a3dd7627c42041fc6198db5c77cad1bbfe7a693739f7331cb19
Instruction Fuzzy Hash: 8E318E71210608AADB109F28DC41AFB73BDFF88764F108619F9A5D7280DA30AD91D760

Function 00914537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0091461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00914634

Strings

', xrefs: 0091458E

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: fc1906a7f2ed7fc1156310f625c1699d12aeabe23fdb2798bd885fe4454e521f
Instruction ID: 1fb1b64fe0e85c180b20168d2eb532f4ea4349ccba331bc6429d70d2ed57a9c7
Opcode Fuzzy Hash: fc1906a7f2ed7fc1156310f625c1699d12aeabe23fdb2798bd885fe4454e521f
Instruction Fuzzy Hash: 28310774B0130E9FDB14CF69C990BDA7BBAFB49344F14406AE905AB351D770A941CF90

Function 009131EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0091327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00913287

Strings

Combobox, xrefs: 00913249

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 69d4a67fdf97f062d612eabcf60ad5d7823b15f2f7a5d37da5a881d450b0aff5
Instruction ID: b758d0258baba9330142fdf2311b3f4814b59045720623a0933a98db28d7f748
Opcode Fuzzy Hash: 69d4a67fdf97f062d612eabcf60ad5d7823b15f2f7a5d37da5a881d450b0aff5
Instruction Fuzzy Hash: 3111B67130420C7FEF21AE54DC80EFB376EEB94364F108524F92497290D6319D919760

Function 00913710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0088600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0088604C
Part of subcall function 0088600E: GetStockObject.GDI32(00000011), ref: 00886060
Part of subcall function 0088600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0088606A

GetWindowRect.USER32(00000000,?), ref: 0091377A
GetSysColor.USER32(00000012), ref: 00913794

Strings

static, xrefs: 00913757

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 8e40f1e9beeac6c260735ebbe9695dbda73b33f2b72db10db9359ff881723b76
Instruction ID: f9fedc3a09c20bb701e76718b3074b82066af5e3c6690447b5c2a9f423d75624
Opcode Fuzzy Hash: 8e40f1e9beeac6c260735ebbe9695dbda73b33f2b72db10db9359ff881723b76
Instruction Fuzzy Hash: 1D113AB2650209AFDF01DFA8CC45EEA7BF8FB08354F004914F955E2250E735E851DB50

Function 008FCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 008FCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 008FCDA6

Strings

<local>, xrefs: 008FCD66

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 58245625bfef9f011597e8c724fa83098c9e0b219ab66a666dd441d183fbe637
Instruction ID: 91591af698a533151fdcd47e9516a38214cc2ffb2895b0ec32425d5cea90f161
Opcode Fuzzy Hash: 58245625bfef9f011597e8c724fa83098c9e0b219ab66a666dd441d183fbe637
Instruction Fuzzy Hash: CC11A3B125563DBAD7246A768C45EFBBEA8FF127A8F004226B209C2080D6709A41D6F0

Function 00913429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009134AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009134BA

Strings

edit, xrefs: 0091348F

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 10f7d99ef7ba8fd96a5e5dcb5328f983c540c72e3a314611fde40a7c408d9223
Instruction ID: 0b161a7c5d5213dc2a969b7f5a470fd44ceec544436e48bda2f928ba0fc9b14c
Opcode Fuzzy Hash: 10f7d99ef7ba8fd96a5e5dcb5328f983c540c72e3a314611fde40a7c408d9223
Instruction Fuzzy Hash: 03116D71210208AAEB228E64DC44AEB376EEB55378F508724FA65931E0C775DC91A750

Function 008E6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

CharUpperBuffW.USER32(?,?,?), ref: 008E6CB6
_wcslen.LIBCMT ref: 008E6CC2

Strings

STOP, xrefs: 008E6CBC, 008E6CC1

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 668e3cfc26736206c8be2a5b1a33eae6cbd442bde13dcbe186e975f4cb3c646f
Instruction ID: 211817197b1def66b3126ee0fd63fc85f4bfe34a3ab61405e70b64138ae7c77a
Opcode Fuzzy Hash: 668e3cfc26736206c8be2a5b1a33eae6cbd442bde13dcbe186e975f4cb3c646f
Instruction Fuzzy Hash: 11010432B1456B8BCB20AFBECC809BF77A5FB727947500528E852D2191FA32D920C750

Function 008E1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

Part of subcall function 008E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008E3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 008E1D4C

Strings

ComboBox, xrefs: 008E1CEB
ListBox, xrefs: 008E1D16

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: edc55589bbe9f8a1e56804d8b588cf6790f2855e4ecdd4da87dffc865d298e23
Instruction ID: bbe9e8c88e7dbafa4fdd38464bc496deabb9d38a3b3be801619f88dde7bc3131
Opcode Fuzzy Hash: edc55589bbe9f8a1e56804d8b588cf6790f2855e4ecdd4da87dffc865d298e23
Instruction Fuzzy Hash: E701B171701219ABCF18FBA9CC59CFE73A8FB47354B140619F872E72C2EA3199088761

Function 008E1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

Part of subcall function 008E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008E3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 008E1C46

Strings

ComboBox, xrefs: 008E1BE5
ListBox, xrefs: 008E1C10

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2ec9ababe621cab10462cee4ce080f6e35131d3c61b50932873093fc2cf52c41
Instruction ID: 2ddfb49ca48e74dab883bf03306b5a3523b6295012497e43d2029c9aac877d64
Opcode Fuzzy Hash: 2ec9ababe621cab10462cee4ce080f6e35131d3c61b50932873093fc2cf52c41
Instruction Fuzzy Hash: 9001B1716811486BCF14EB95C9599FF73A8EB12340B240029E446E3282EA219E0887B2

Function 008E1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

Part of subcall function 008E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008E3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 008E1CC8

Strings

ComboBox, xrefs: 008E1C69
ListBox, xrefs: 008E1C94

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 62b155b8003e5ad48a8cc3854285cfaf1f81d0a96b01a8e861f0b7e8458e1153
Instruction ID: 084e08f598433b741adbf793194a4223b3584ed5d3bb7ad57f0ac386847e7949
Opcode Fuzzy Hash: 62b155b8003e5ad48a8cc3854285cfaf1f81d0a96b01a8e861f0b7e8458e1153
Instruction Fuzzy Hash: 5001677568115967CF14F795CA15EFE77A8FB12344B240015B842F3281EA719F08D772

Function 008E1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00889CB3: _wcslen.LIBCMT ref: 00889CBD

Part of subcall function 008E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008E3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 008E1DD3

Strings

ComboBox, xrefs: 008E1D75
ListBox, xrefs: 008E1DA0

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7216ebca5092e9b88d0ab62b0c4c2776e5ffa9272f9bb4934867bc29a5f21bcb
Instruction ID: cf913c62bc446ae230ee11910333e89bda95c426aad491a70ed27694ac8eef73
Opcode Fuzzy Hash: 7216ebca5092e9b88d0ab62b0c4c2776e5ffa9272f9bb4934867bc29a5f21bcb
Instruction Fuzzy Hash: 9EF0A471B412196BDB14F7A9CC5AEFE7768FB02354F180915F862E32C2EA719A088361

Function 0090747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00907493
_wcslen.LIBCMT ref: 009074B9

Strings

3, 3, 16, 1, xrefs: 00907483

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 0a99640cdcf05ac8b5cc50a752b0df0b2580b960fd0dafab99f0cef80ebb2b29
Instruction ID: b2b56caf45c63fd81483a4e21a25e0c375a968a9798cb4e6a3f65d326e778c8b
Opcode Fuzzy Hash: 0a99640cdcf05ac8b5cc50a752b0df0b2580b960fd0dafab99f0cef80ebb2b29
Instruction Fuzzy Hash: 49E0230160425014D23116BD9CC197FEA8FDFC67707141417F541C11B6D6D49DA153A1

Function 008E0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 008E0B23

Strings

Error allocating memory., xrefs: 008E0B1C
AutoIt, xrefs: 008E0B17

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 0386d6ba1974db518e0cf5a38fa7ad9a44354c094fe18489a642d45b4c9cf581
Instruction ID: 129c023964bbc97d466e1c739f84133fdeafa0d8ceb606d3ddd5a499b387fa7a
Opcode Fuzzy Hash: 0386d6ba1974db518e0cf5a38fa7ad9a44354c094fe18489a642d45b4c9cf581
Instruction Fuzzy Hash: 9FE0D87138430827D61436987C03FC97A84EF06F64F100426F788D54C38AD124A046EA

Function 008A0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0089F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,008A0D71,?,?,?,0088100A), ref: 0089F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0088100A), ref: 008A0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0088100A), ref: 008A0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 008A0D7F

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: cbc9ea3f8d707a8bea0e31b6bc16d40848517788357cc516dfc03a9666061ce4
Instruction ID: 858de6bc4cb7886977dec4ff5791ec0c84bc6b742438e308002f65a347aa43e0
Opcode Fuzzy Hash: cbc9ea3f8d707a8bea0e31b6bc16d40848517788357cc516dfc03a9666061ce4
Instruction Fuzzy Hash: B5E039B4300B418BE760AFB9D8083827BE0FB01744F008A2DE496C6A51DBB4E4889F91

Function 008F3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 008F302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 008F3044

Strings

aut, xrefs: 008F3038

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d956a4f05168da77cbdcea67d25475d8a22ad495ff36b8ba6e3e594c4bf9760c
Instruction ID: ad97d7be42f29562091e994c69c245cfcf6b92f68703903489f38d15e4d6ce30
Opcode Fuzzy Hash: d956a4f05168da77cbdcea67d25475d8a22ad495ff36b8ba6e3e594c4bf9760c
Instruction Fuzzy Hash: A6D05EF264032877DA20A7A4AC0EFCB3A6CDB05750F4006A1B665E2095DAF0D984CAD0

Function 008DD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 008DD220

Strings

%.3d, xrefs: 008DD22B
X64, xrefs: 008DD2A8

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: a285fa56b49a49c273eebbf2952c303f1a63fa50f4c5fe1aaa7ae68eb5c62708
Instruction ID: 50175b850b05d8bb2a962eb13cb5a376e2040ad72c5badef5c79e798a2956e84
Opcode Fuzzy Hash: a285fa56b49a49c273eebbf2952c303f1a63fa50f4c5fe1aaa7ae68eb5c62708
Instruction Fuzzy Hash: 4FD012A184830CEACF50AAD0DC45CF9B37CFB18345F548553F906D1141E634E508A761

Function 00912322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0091232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0091233F

Part of subcall function 008EE97B: Sleep.KERNEL32 ref: 008EE9F3

Strings

Shell_TrayWnd, xrefs: 00912325

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1a6845b75b820609abe2eb995d42eef322d53c38acae3c4f0ca273c43968de70
Instruction ID: ecf3705ab176e1a9325e8e1e2305506606482e8d436c182372f6bb97de52c1ad
Opcode Fuzzy Hash: 1a6845b75b820609abe2eb995d42eef322d53c38acae3c4f0ca273c43968de70
Instruction Fuzzy Hash: 26D022B23E8300BBE364B370DC0FFC6BA04AB00B00F0089067705EA0D0C8F0A801CB00

Function 00912356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0091236C
PostMessageW.USER32(00000000), ref: 00912373

Part of subcall function 008EE97B: Sleep.KERNEL32 ref: 008EE9F3

Strings

Shell_TrayWnd, xrefs: 00912365

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: effae3d46096d56f0bd0c9c97972cd0d50e6f8654f6d161b96affb1a8b66a0bd
Instruction ID: 9dbd0f26a458e77275f534af68bbbc6ec7c26ea8b04cb29d312067ca6aec3128
Opcode Fuzzy Hash: effae3d46096d56f0bd0c9c97972cd0d50e6f8654f6d161b96affb1a8b66a0bd
Instruction Fuzzy Hash: 1ED0A9B23D83007AE264B370DC0FFC6AA04AB01B00F0089067601EA0D0C8B0A801CA04

Function 008BBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 008BBE93
GetLastError.KERNEL32 ref: 008BBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008BBEFC

Memory Dump Source

Source File: 00000000.00000002.1806850733.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.1806822949.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807008469.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807126922.000000000094C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1807151717.0000000000954000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: a5a1036507b2b00b95470d06a9d8204444a8813a3c09332d7674383fc202e797
Instruction ID: b2eb8e9834d9273b2aeee89c51580edf7288c80d58b6748a1a9afc6f9018a265
Opcode Fuzzy Hash: a5a1036507b2b00b95470d06a9d8204444a8813a3c09332d7674383fc202e797
Instruction Fuzzy Hash: 7441AF34604206ABDB218FA9CC44AFA7BA5FF42720F144169F959DB3A1EFB09D01DB61

Analysis Process: firefox.exePID: 4960, Parent PID: 7716COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000015DA87045F2 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0000015DA8704657

Strings

z, xrefs: 0000015DA870468B
>, xrefs: 0000015DA87086FF
z, xrefs: 0000015DA8705C36
4, xrefs: 0000015DA87086D9
>, xrefs: 0000015DA87046B9
#, xrefs: 0000015DA8704682
#, xrefs: 0000015DA87029C5
A, xrefs: 0000015DA870464F
#, xrefs: 0000015DA8705731
>, xrefs: 0000015DA870545C

Memory Dump Source

Source File: 00000010.00000002.2996715466.0000015DA8702000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000015DA8702000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_15da8702000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction ID: 583897a0b63b2c5e60f76879f3192a033e4c227a5276615c3fe986e9115c61d9
Opcode Fuzzy Hash: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction Fuzzy Hash: 2AA3C331618E598BDB3EDF18DC866EA73E5FB98301F14422EDC4AD7255DE34E9028B81

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1965032665.0000027B9E98E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1980251593.0000027B9833B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901492595.0000027B9E98E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1902587271.0000027B9E6FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1949029653.0000027B9E63C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1975837950.0000027B9E63C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1902587271.0000027B9E6FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1839687686.0000027B983D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1952187947.0000027B983D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1965032665.0000027B9E98E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1980251593.0000027B9833B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901492595.0000027B9E98E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1993643563.0000027B9981A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1835666242.0000027B99817000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1993643563.0000027B9981A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1835666242.0000027B99817000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1902587271.0000027B9E6FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1835666242.0000027B99817000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1949029653.0000027B9E63C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1902587271.0000027B9E6FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1839687686.0000027B983D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1835666242.0000027B99817000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2993056886.0000015DA810A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2992752954.000002D67F00C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2993056886.0000015DA810A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2992752954.000002D67F00C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1958259972.0000027B91D94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2993056886.0000015DA810A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2992752954.000002D67F00C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1976079440.0000027B9D442000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1965032665.0000027B9E98E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1980251593.0000027B9833B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901492595.0000027B9E98E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1986140401.0000027B9370A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1979912365.0000027B9851E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1994293253.0000027B98517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1986140401.0000027B9370A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com5 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2001442583.0000027B90E60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845554856.0000027B90584000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837676998.0000027B90584000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:52335 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:52343 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:52348 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:52359 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:52360 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:52363 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:52364 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.4:52365 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:52368 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:52370 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:52369 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:52371 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:60518 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:60517 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:60519 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 52368 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52349 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52358
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52359
Source: unknown	Network traffic detected: HTTP traffic on port 52345 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52361 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52339 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52364 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60496
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52361
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52362
Source: unknown	Network traffic detected: HTTP traffic on port 60517 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52360
Source: unknown	Network traffic detected: HTTP traffic on port 52358 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52371 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52335 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52365
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52366
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52363
Source: unknown	Network traffic detected: HTTP traffic on port 52369 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52364
Source: unknown	Network traffic detected: HTTP traffic on port 52362 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52369
Source: unknown	Network traffic detected: HTTP traffic on port 52348 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52367
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52368
Source: unknown	Network traffic detected: HTTP traffic on port 52365 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52373
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52370
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52371
Source: unknown	Network traffic detected: HTTP traffic on port 60518 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52359 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52338 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52351 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52338
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52339
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60519
Source: unknown	Network traffic detected: HTTP traffic on port 52347 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52336
Source: unknown	Network traffic detected: HTTP traffic on port 52363 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52343 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52335
Source: unknown	Network traffic detected: HTTP traffic on port 52340 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52366 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52340
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60518
Source: unknown	Network traffic detected: HTTP traffic on port 60519 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60517
Source: unknown	Network traffic detected: HTTP traffic on port 60710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52373 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60710
Source: unknown	Network traffic detected: HTTP traffic on port 60496 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52349
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52343
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52347
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52348
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52345
Source: unknown	Network traffic detected: HTTP traffic on port 52360 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52367 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52350
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52351
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60889
Source: unknown	Network traffic detected: HTTP traffic on port 60889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60887
Source: unknown	Network traffic detected: HTTP traffic on port 52370 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52336 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60885

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cb7cba75-108e-4320-8151-e5d50e5987e9.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cb7cba75-108e-4320-8151-e5d50e5987e9.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre