Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1541678
MD5:	0334989819bcf38be73c399caf7cc0f8
SHA1:	ed21979d75c3b290d975633d34bfb55b345015e6
SHA256:	1dc1aa7bb2dde0f1eeecda0bd41993d10439223c21f271a8f1eb4548c23528ca
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 3640 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0334989819BCF38BE73C399CAF7CC0F8)

taskkill.exe (PID: 3596 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5688 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6204 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3228 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7092 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 2924 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5168 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5060 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6476 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2204 -parentBuildID 20230927232528 -prefsHandle 2112 -prefMapHandle 2104 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab8395c6-1105-43dd-a082-b75f7f70fefd} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" 1e2c876dd10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7544 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4244 -parentBuildID 20230927232528 -prefsHandle 1272 -prefMapHandle 4276 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10fd7c61-c9d7-4db7-89e7-571930c51699} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" 1e2d9d58710 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8088 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4272 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4552 -prefMapHandle 5108 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c8ee0e7-efb6-48aa-a6a1-12ed26ef26b2} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" 1e2da0c5510 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2121245269.0000000001430000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
00000000.00000003.2121286491.0000000001439000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 3640	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00C0EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00C0EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C0ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00C0ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00C0EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BFAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00BFAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C29576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00C29576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2056885498.0000000000C52000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b2a9163d-d
Source: file.exe, 00000000.00000000.2056885498.0000000000C52000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_31815f42-1
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_27da8bf0-7
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a8e3c7c7-8

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000022C7CFB6A37 NtQuerySystemInformation,		17_2_0000022C7CFB6A37
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000022C7CFE5EB2 NtQuerySystemInformation,		17_2_0000022C7CFE5EB2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BFD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00BFD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BF1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00BF1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BFE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00BFE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C02046	0_2_00C02046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B98060	0_2_00B98060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF8298	0_2_00BF8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCE4FF	0_2_00BCE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC676B	0_2_00BC676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C24873	0_2_00C24873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBCAA0	0_2_00BBCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9CAF0	0_2_00B9CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BACC39	0_2_00BACC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC6DD9	0_2_00BC6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B991C0	0_2_00B991C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BAB119	0_2_00BAB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB1394	0_2_00BB1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB1706	0_2_00BB1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB781B	0_2_00BB781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB19B0	0_2_00BB19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B97920	0_2_00B97920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA997D	0_2_00BA997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB7A4A	0_2_00BB7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB7CA7	0_2_00BB7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB1C77	0_2_00BB1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC9EEE	0_2_00BC9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C1BE44	0_2_00C1BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB1F32	0_2_00BB1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000022C7CFB6A37	17_2_0000022C7CFB6A37
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000022C7CFE5EB2	17_2_0000022C7CFE5EB2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000022C7CFE65DC	17_2_0000022C7CFE65DC
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000022C7CFE5EF2	17_2_0000022C7CFE5EF2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00BB0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B99CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00BAF9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@65/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C037B5 GetLastError,FormatMessageW,

0_2_00C037B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF10BF AdjustTokenPrivileges,CloseHandle,		0_2_00BF10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00BF16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C051CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00C051CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BFD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00BFD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C0648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00C0648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B942A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00B942A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1960:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2211355361.000001E2E1CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2279475841.000001E2E1CE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE moz_places SET foreign_count = foreign_count - 1 WHERE id = OLD.place_idUPDATE moz_places SET foreign_count = foreign_count + 1 WHERE id = NEW.place_id;
Source: firefox.exe, 0000000E.00000003.2209775394.000001E2E40D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2210160294.000001E2E409C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2210160294.000001E2E409C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2210160294.000001E2E409C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2210160294.000001E2E409C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2210160294.000001E2E409C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2210160294.000001E2E409C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2210160294.000001E2E409C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2210160294.000001E2E409C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2210160294.000001E2E409C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2204 -parentBuildID 20230927232528 -prefsHandle 2112 -prefMapHandle 2104 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab8395c6-1105-43dd-a082-b75f7f70fefd} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" 1e2c876dd10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4244 -parentBuildID 20230927232528 -prefsHandle 1272 -prefMapHandle 4276 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10fd7c61-c9d7-4db7-89e7-571930c51699} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" 1e2d9d58710 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4272 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4552 -prefMapHandle 5108 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c8ee0e7-efb6-48aa-a6a1-12ed26ef26b2} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" 1e2da0c5510 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2204 -parentBuildID 20230927232528 -prefsHandle 2112 -prefMapHandle 2104 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab8395c6-1105-43dd-a082-b75f7f70fefd} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" 1e2c876dd10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4244 -parentBuildID 20230927232528 -prefsHandle 1272 -prefMapHandle 4276 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10fd7c61-c9d7-4db7-89e7-571930c51699} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" 1e2d9d58710 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4272 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4552 -prefMapHandle 5108 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c8ee0e7-efb6-48aa-a6a1-12ed26ef26b2} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" 1e2da0c5510 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2235394415.000001E2D83CF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2229811023.000001E2D83C5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2231254787.000001E2D83C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2235394415.000001E2D83CF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2233418122.000001E2D83C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2229811023.000001E2D83C5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2231254787.000001E2D83C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2231170367.000001E2E4B01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2233418122.000001E2D83C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2231170367.000001E2E4B01000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B942DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB0A76 push ecx; ret

0_2_00BB0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BAF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00BAF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C21C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00C21C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-98107

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000022C7CFB6A37 rdtsc

17_2_0000022C7CFB6A37

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00BFDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCC2A2 FindFirstFileExW,	0_2_00BCC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C068EE FindFirstFileW,FindClose,	0_2_00C068EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C0698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00C0698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BFD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BFD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C09642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C09642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C0979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C0979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C09B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00C09B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C05C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00C05C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B942DE

Source: firefox.exe, 00000010.00000002.3317761384.00000181AB46A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWy
Source: firefox.exe, 00000011.00000002.3322783718.0000022C7CE60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2/n8
Source: firefox.exe, 00000010.00000002.3317761384.00000181AB46A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3316671891.0000022C7C5CA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3317275083.000002917AC0A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3318341434.000002917ACB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3324495391.00000181AB91B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000011.00000002.3322783718.0000022C7CE60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW~
Source: firefox.exe, 00000010.00000002.3325544774.00000181ABD40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3322783718.0000022C7CE60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000010.00000002.3317761384.00000181AB46A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000022C7CFB6A37 rdtsc

17_2_0000022C7CFB6A37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C0EAA2 BlockInput,

0_2_00C0EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BC2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00BC2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B942DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB4CE8 mov eax, dword ptr fs:[00000030h]

0_2_00BB4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BF0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00BF0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BC2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BB083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB09D5 SetUnhandledExceptionFilter,	0_2_00BB09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00BB0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00BF1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BD2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00BD2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BFB226 SendInput,keybd_event,

0_2_00BFB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C122DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00C122DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00BF0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BF1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00BF1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB0698 cpuid

0_2_00BB0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C08195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00C08195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BED27A GetUserNameW,

0_2_00BED27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BCB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00BCB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B942DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2121245269.0000000001430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2121286491.0000000001439000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3640, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2121245269.0000000001430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2121286491.0000000001439000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3640, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C11204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00C11204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C11806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00C11806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.251.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.1	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.129.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	172.217.18.14	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.185.78	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.129.140	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://youtube.comZ	firefox.exe, 0000000E.00000003.2275791122.000029E93C703000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.3320151971.000002917B0C3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2295933928.000001E2DA097000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2209775394.000001E2E40D7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2251789027.000001E2E081D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3320576892.00000181AB8CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3319370426.0000022C7C9E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3324420593.000002917B105000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000012.00000002.3320151971.000002917B08E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2291783849.000001E2E0B96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2302054309.000001E2E0B96000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2221627652.000001E2DA1D4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.2211355361.000001E2E1C45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221491828.000001E2DA529000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2102585658.000001E2D8600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2105403108.000001E2D8853000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2106393280.000001E2D886F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2107168383.000001E2D888A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2104018044.000001E2D8838000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2103755780.000001E2D881D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2296526622.000001E2DA05C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2210222075.000001E2E4073000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2292236514.000001E2E095D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2280416296.000001E2E05D1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.2298752966.000001E2DADC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2285737490.000001E2DADC5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2102585658.000001E2D8600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2105403108.000001E2D8853000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2106393280.000001E2D886F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2104018044.000001E2D8838000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2103755780.000001E2D881D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2286179890.000001E2DACEB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.instagram.com/	firefox.exe, 0000000E.00000003.2148567620.000001E2DA2F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2147010363.000001E2DA2F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2147417624.000001E2DA2F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2155184589.000001E2DA2F3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2282136872.000001E2DBCE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291424406.000001E2E1C26000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000E.00000003.2221491828.000001E2DA529000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2292236514.000001E2E095D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 00000012.00000002.3320151971.000002917B00C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2163719008.000001E2D97A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2162057348.000001E2E3F05000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2291783849.000001E2E0B96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2302054309.000001E2E0B96000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2283647437.000001E2E3EDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2210480282.000001E2E3EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278712927.000001E2E3EDE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.3320151971.000002917B0C3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2161204797.000001E2D97A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2230669883.000001E2D9EC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2226165230.000001E2D9EC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2211189564.000001E2E3E3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2210480282.000001E2E3E83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2297266982.000001E2D9DE5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://amazon.com	firefox.exe, 0000000E.00000003.2275695905.0000019194403000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2296526622.000001E2DA05C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2279149672.000001E2E1DD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2209775394.000001E2E40EC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3320576892.00000181AB8CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3319370426.0000022C7C9E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3324420593.000002917B105000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
http://mozilla.org/03	firefox.exe, 0000000E.00000003.2276042531.00001BB346803000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3320576892.00000181AB8CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3319370426.0000022C7C9E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3324420593.000002917B105000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2292236514.000001E2E095D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 00000011.00000002.3319370426.0000022C7C912000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3320151971.000002917B013000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2135641924.000001E2E0A82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291783849.000001E2E0B96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2302054309.000001E2E0B96000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3318806787.000002917AE00000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/Z	firefox.exe, 0000000E.00000003.2275695905.0000019194403000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/CN=The	firefox.exe, 00000012.00000002.3320151971.000002917B013000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl3.digi	firefox.exe, 0000000E.00000003.2174129144.000001E2D8375000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2250805633.000001E2D8E8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2285737490.000001E2DADC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2220027227.000001E2DAEBC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2165908998.000001E2DA2EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2230669883.000001E2D9EC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2161288383.000001E2D9791000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2212823255.000001E2E05D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2165109203.000001E2E0646000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2230536561.000001E2D9EF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2155184589.000001E2DA2C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2226165230.000001E2D9EF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2277648419.000001E2D9F3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2148567620.000001E2DA2EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2136515375.000001E2DAEBC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2220821818.000001E2DADE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2239844647.000001E2E064E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250805633.000001E2D8EAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2112601425.000001E2D9118000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2147417624.000001E2DA2EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2239423567.000001E2E066A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2229570020.000001E2DA2EA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2298752966.000001E2DADC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2285737490.000001E2DADC5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://youtube.com/	firefox.exe, 0000000E.00000003.2280416296.000001E2E052A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2298752966.000001E2DADC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2285737490.000001E2DADC5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2292236514.000001E2E09C7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2212262411.000001E2E0799000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221627652.000001E2DA1D4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2212262411.000001E2E0799000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221627652.000001E2DA1D4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2251789027.000001E2E081D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla-hub.atlassian.net/browse/SDK-405	firefox.exe, 0000000E.00000003.2140673535.000001E2E0A97000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2292236514.000001E2E095D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2211355361.000001E2E1C1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291424406.000001E2E1C26000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2292236514.000001E2E095D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2211355361.000001E2E1C1A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.2160073672.000001E2E0640000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2287480690.000001E2DA1D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221627652.000001E2DA1D4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2163719008.000001E2D97A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2162057348.000001E2E3F05000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2161204797.000001E2D97A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2283647437.000001E2E3EDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2210480282.000001E2E3EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278712927.000001E2E3EDE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2302539467.000001E2E05D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3319704252.00000181AB740000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3318241612.0000022C7C7B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3318612259.000002917ADB0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2291783849.000001E2E0B96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2302054309.000001E2E0B96000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2209775394.000001E2E40D7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.18.14	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541678
Start date and time:	2024-10-25 01:26:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@65/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 34.208.54.237, 52.13.186.250, 44.231.229.39, 142.250.186.42, 142.250.185.106, 2.22.61.59, 2.22.61.56, 142.250.185.238, 142.250.185.78
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
19:27:07	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
34.149.100.209	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
services.addons.mozilla.org	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
star-mini.c10r.facebook.com	http://ylh2qh022.spreadsheetninjas.com/q3bCCwDV?sub1=ed10U&keyword=rbraley@avitusgroup.com&sub2=xelosv.nl	Get hash	malicious	Porn Scam	Browse	157.240.253.35
	http://scansourcce.com/	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.253.35
	http://elliottconnie.com/	Get hash	malicious	Unknown	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	http://elliottconnie.com/	Get hash	malicious	Unknown	Browse	34.149.120.3
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://www.google.co.uk/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Fwe4uproducts.com/cbb/lld/jjg/5BVvnI7cfJ4HfuhWZvVda7dK/am9yZGFuLmJsYWNrQGxlYXJmaWVsZC5jb20=	Get hash	malicious	Unknown	Browse	34.49.241.189
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	33.66.95.206
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	34.36.245.246
	https://cswlawgroup.artoffice.cloud/	Get hash	malicious	Unknown	Browse	34.36.17.181
FASTLYUS	http://scansourcce.com/	Get hash	malicious	Unknown	Browse	151.101.2.137
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	http://elliottconnie.com/	Get hash	malicious	Unknown	Browse	199.232.210.84
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	https://www.google.co.uk/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Fwe4uproducts.com/cbb/lld/jjg/5BVvnI7cfJ4HfuhWZvVda7dK/am9yZGFuLmJsYWNrQGxlYXJmaWVsZC5jb20=	Get hash	malicious	Unknown	Browse	151.101.194.137
	General Agreement.docx.exe	Get hash	malicious	Python Stealer, Babadeda, Exela Stealer, Waltuhium Grabber	Browse	185.199.111.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.129.91
	https://onlinepdf-qrsharedfile.com/index.html#XYW5uaWUua3lwcmlhbm91QGxjYXR0ZXJ0b24uY29t	Get hash	malicious	HTMLPhisher	Browse	151.101.193.229
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	http://elliottconnie.com/	Get hash	malicious	Unknown	Browse	34.149.120.3
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://www.google.co.uk/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Fwe4uproducts.com/cbb/lld/jjg/5BVvnI7cfJ4HfuhWZvVda7dK/am9yZGFuLmJsYWNrQGxlYXJmaWVsZC5jb20=	Get hash	malicious	Unknown	Browse	34.49.241.189
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	33.66.95.206
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	34.36.245.246
	https://cswlawgroup.artoffice.cloud/	Get hash	malicious	Unknown	Browse	34.36.17.181

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_14212507-c320-4cdb-99ef-76518336a749.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.17777800648289
Encrypted:	false
SSDEEP:	192:sKMXP7scbhbVbTbfbRbObtbyEl7nUrgJA6wnSrDtTkd/SQ:sPAcNhnzFSJ0rTjnSrDhkd/t
MD5:	047693A26A9AAF5D630261F5479BD3A4
SHA1:	5E01A81BA6EC29E210E55F87BCD5C9975A0621C9
SHA-256:	F997BBD4D8772EFA8CE1EE2D6D58F038FF2D82EF242F7BD29E2610DC11094B27
SHA-512:	0696A80C507F66C44F1BEDF368228AA1EF9CA4D816BA1051F5436A7A7BF72B5FF69634FB80172FCB9078C5C3F5A1691DA6B36867B6F4DE466E0B8D4485A08E01
Malicious:	false
Preview:	{"type":"uninstall","id":"14212507-c320-4cdb-99ef-76518336a749","creationDate":"2024-10-25T01:20:13.545Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_14212507-c320-4cdb-99ef-76518336a749.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.17777800648289
Encrypted:	false
SSDEEP:	192:sKMXP7scbhbVbTbfbRbObtbyEl7nUrgJA6wnSrDtTkd/SQ:sPAcNhnzFSJ0rTjnSrDhkd/t
MD5:	047693A26A9AAF5D630261F5479BD3A4
SHA1:	5E01A81BA6EC29E210E55F87BCD5C9975A0621C9
SHA-256:	F997BBD4D8772EFA8CE1EE2D6D58F038FF2D82EF242F7BD29E2610DC11094B27
SHA-512:	0696A80C507F66C44F1BEDF368228AA1EF9CA4D816BA1051F5436A7A7BF72B5FF69634FB80172FCB9078C5C3F5A1691DA6B36867B6F4DE466E0B8D4485A08E01
Malicious:	false
Preview:	{"type":"uninstall","id":"14212507-c320-4cdb-99ef-76518336a749","creationDate":"2024-10-25T01:20:13.545Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.92693133476324
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNwv39vyu:8S+OVPUFRbOdwNIOdYpjvY1Q6LJk8P
MD5:	F7D0B8252DB74FAE90673EB4EBB6BDEA
SHA1:	9F60AE0DA4CCA26D5C81494D42E0757C85A0544A
SHA-256:	2C9AA58212EEE14B851DB04606C93ABF3EC40A6FF3DAD17534632CD76EE81F59
SHA-512:	99C51BBA2D619D69BB484E15EF13E79B0440A1826D741DEAEBDCBB3BA6B54716B75AEC5DB69C24654FF7875C2C480AAC710A215D47373180504FC406E8668502
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.92693133476324
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNwv39vyu:8S+OVPUFRbOdwNIOdYpjvY1Q6LJk8P
MD5:	F7D0B8252DB74FAE90673EB4EBB6BDEA
SHA1:	9F60AE0DA4CCA26D5C81494D42E0757C85A0544A
SHA-256:	2C9AA58212EEE14B851DB04606C93ABF3EC40A6FF3DAD17534632CD76EE81F59
SHA-512:	99C51BBA2D619D69BB484E15EF13E79B0440A1826D741DEAEBDCBB3BA6B54716B75AEC5DB69C24654FF7875C2C480AAC710A215D47373180504FC406E8668502
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07338695179673393
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiY:DLhesh7Owd4+ji
MD5:	CF1DE697E64DA861D34F991214E84506
SHA1:	9D6E9A3CB1817C1C48406125FEACB8E75CD6BF6F
SHA-256:	8AAAE5E2C7FF42BF353087850292EDD48B98407FD65260E1DAD8D3CA3650BECA
SHA-512:	F57EDB1DA479F8289DD8404C4E2994784F69CEEFA0187D2323AC26D22B0ACECD9F10260122BCD9B6D67D3D007D26610045C94FC5DB4052B9160935B4B270489C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035447157006298996
Encrypted:	false
SSDEEP:	3:GtlstFb3Hwc9N7Z7i3lstFb3Hwc9N7Z7vT89//alEl:GtWtHbYWtHbh89XuM
MD5:	38685C4B481F6522C2D9C8D0651B83C9
SHA1:	2E0D140B59288D1F1965794AF4ADA14851CDEB69
SHA-256:	542092B789B08575674E6F726BD842425CC0B295948B56ECD0645DE34F746DAA
SHA-512:	D1AAAEA6B55BADE95F740410B09AEBFDBA1B77CEC57426F329C9FBA7901F36E02DADFC3905E22A9F3D47B19F0F0BA4075E8C33AABCCA9A64E38C421FC659E217
Malicious:	false
Preview:	..-.....................L......=.y.6.b>..om.v...-.....................L......=.y.6.b>..om.v.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.04004211531425465
Encrypted:	false
SSDEEP:	3:Ol1DB7R7OtIYa9x63FHuh7l8rEXsxdwhml8XW3R2:KL9OtIb6VWl8dMhm93w
MD5:	82A802081FA850D21CD0F218A7AC3BA1
SHA1:	A20196D93FD6F69A78784ABC3DDC321C9B4EE547
SHA-256:	5C09E07BF27C48FED1E1F09C95DC894B7AE46DE1F663EC9EE5AF9272CF49A887
SHA-512:	3E7C4C750097524F2736447BE0DC3B4A31A376CAEDB3D62843188375898819D480A11239DEC6F2EB2924310615AA4D02EAA93170B18E9CFE81ADC40B59B2B7F8
Malicious:	false
Preview:	7....-..........=.y.6.b>n@.Pd..+........=.y.6.b>...L..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.4769884093449255
Encrypted:	false
SSDEEP:	192:QnPOeRnLYbBp68J0aX+06SEXKXxNJf5RHWNBw8dRSl:KDexJU3e7tHEwu0
MD5:	4418DB95A5E1B251AA492307CB39423B
SHA1:	95AF6D838C84D5676BC1C8E3BD9A513C97722672
SHA-256:	33F44F8ECA3D086879FFAF5F9D07532A3D92D6A2309E7A77EAC3D9C83C6BD8C8
SHA-512:	9EBC72F7A8AF23DAE3B9882B75DF2FE07B0F9BD9D2F58609348BDF3A4D77B511D3A4CF16216948EC4A0412062DCC810BD12DBD708CC4BD6A3BEDD14214284812
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729819184);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729819184);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729819184);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172981

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.4769884093449255
Encrypted:	false
SSDEEP:	192:QnPOeRnLYbBp68J0aX+06SEXKXxNJf5RHWNBw8dRSl:KDexJU3e7tHEwu0
MD5:	4418DB95A5E1B251AA492307CB39423B
SHA1:	95AF6D838C84D5676BC1C8E3BD9A513C97722672
SHA-256:	33F44F8ECA3D086879FFAF5F9D07532A3D92D6A2309E7A77EAC3D9C83C6BD8C8
SHA-512:	9EBC72F7A8AF23DAE3B9882B75DF2FE07B0F9BD9D2F58609348BDF3A4D77B511D3A4CF16216948EC4A0412062DCC810BD12DBD708CC4BD6A3BEDD14214284812
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729819184);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729819184);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729819184);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172981

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.345816957145085
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSqJdrhXkLXnIra/pnxQwR2cT5sKmgw3eHVpjO+xLamhujJwO2c0Tiv:GUpOx1dyjnR22egw3erjxR4Jwc3zBtT
MD5:	F7A22176DD3C2824FD726A82A75D63DF
SHA1:	8AFDF917B8CBBCD955A249522C572056E803102D
SHA-256:	D963E6934231ECD5ECA5397CE32ED53D540AC6F4A7AFBC331C79608ED7B6253A
SHA-512:	416B2EFF6FBE5D38851A2FB27640CD3D991D677889170D83C8234D5AC7BC8898315F84F5316271D7AC02250555B47760DAC37850BC37D569B194B2960E5D9C41
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{b690bf32-11d8-4c8a-92a3-02e54f809923}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1729819189170,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":21506334....width":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:..s...{..mUpdate...startTim..P53512...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...59308,"originA...."first

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.345816957145085
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSqJdrhXkLXnIra/pnxQwR2cT5sKmgw3eHVpjO+xLamhujJwO2c0Tiv:GUpOx1dyjnR22egw3erjxR4Jwc3zBtT
MD5:	F7A22176DD3C2824FD726A82A75D63DF
SHA1:	8AFDF917B8CBBCD955A249522C572056E803102D
SHA-256:	D963E6934231ECD5ECA5397CE32ED53D540AC6F4A7AFBC331C79608ED7B6253A
SHA-512:	416B2EFF6FBE5D38851A2FB27640CD3D991D677889170D83C8234D5AC7BC8898315F84F5316271D7AC02250555B47760DAC37850BC37D569B194B2960E5D9C41
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{b690bf32-11d8-4c8a-92a3-02e54f809923}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1729819189170,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":21506334....width":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:..s...{..mUpdate...startTim..P53512...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...59308,"originA...."first

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.345816957145085
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSqJdrhXkLXnIra/pnxQwR2cT5sKmgw3eHVpjO+xLamhujJwO2c0Tiv:GUpOx1dyjnR22egw3erjxR4Jwc3zBtT
MD5:	F7A22176DD3C2824FD726A82A75D63DF
SHA1:	8AFDF917B8CBBCD955A249522C572056E803102D
SHA-256:	D963E6934231ECD5ECA5397CE32ED53D540AC6F4A7AFBC331C79608ED7B6253A
SHA-512:	416B2EFF6FBE5D38851A2FB27640CD3D991D677889170D83C8234D5AC7BC8898315F84F5316271D7AC02250555B47760DAC37850BC37D569B194B2960E5D9C41
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{b690bf32-11d8-4c8a-92a3-02e54f809923}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1729819189170,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":21506334....width":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:..s...{..mUpdate...startTim..P53512...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...59308,"originA...."first

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029791177141102
Encrypted:	false
SSDEEP:	96:ycsMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:vTEr5NX0z3DhRe
MD5:	DC41B2894D34F0AE55DB697508F5B999
SHA1:	3E8B9169BF7329A2FF3B013D4E5DDEB5F2555AEF
SHA-256:	FC2FAFC41547364721D0035058F07A3ED74435662C20257FA1835597D7F6F9A5
SHA-512:	8B805EB35FE3ADDE0CECA77BE48735D749B5CA49F1178CD597CBB1B6B6EC64F577A838922FF88CEA69BF61B23BC0F20EC73FC9C701FD6B6CD45B46BF14DC1F2C
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-25T01:19:30.537Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029791177141102
Encrypted:	false
SSDEEP:	96:ycsMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:vTEr5NX0z3DhRe
MD5:	DC41B2894D34F0AE55DB697508F5B999
SHA1:	3E8B9169BF7329A2FF3B013D4E5DDEB5F2555AEF
SHA-256:	FC2FAFC41547364721D0035058F07A3ED74435662C20257FA1835597D7F6F9A5
SHA-512:	8B805EB35FE3ADDE0CECA77BE48735D749B5CA49F1178CD597CBB1B6B6EC64F577A838922FF88CEA69BF61B23BC0F20EC73FC9C701FD6B6CD45B46BF14DC1F2C
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-25T01:19:30.537Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584685421821997
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	0334989819bcf38be73c399caf7cc0f8
SHA1:	ed21979d75c3b290d975633d34bfb55b345015e6
SHA256:	1dc1aa7bb2dde0f1eeecda0bd41993d10439223c21f271a8f1eb4548c23528ca
SHA512:	7b703b0fd16b9f8dff59765df045877efccdeca374c3f0bb24c908fe3ba41e626a41f16439a289da5e152b083fc746f1503214c99d3f739702f7054a74b47af5
SSDEEP:	12288:GqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/T8:GqDEvCTbMWu7rQYlBQcBiT6rprG8ab8
TLSH:	C3159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671AD193 [Thu Oct 24 23:00:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FC66C741373h
jmp 00007FC66C740C7Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC66C740E5Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC66C740E2Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FC66C743A1Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FC66C743A68h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FC66C743A51h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	277b83200dcfc31c4004c03138324dd1	False	0.31561511075949367	data	5.373970945939682	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 01:27:04.756968021 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 01:27:04.757019043 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 25, 2024 01:27:04.757113934 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 01:27:04.766832113 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 01:27:04.766854048 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 25, 2024 01:27:05.407576084 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 25, 2024 01:27:05.407661915 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 01:27:05.416462898 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 01:27:05.416512966 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 25, 2024 01:27:05.416548014 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 01:27:05.416747093 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 25, 2024 01:27:05.416815996 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 01:27:05.717914104 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:05.717951059 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:05.729562998 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:05.730976105 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:05.730992079 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:06.152245045 CEST	49712	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:06.152339935 CEST	443	49712	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:06.164917946 CEST	49712	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:06.219454050 CEST	49712	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:06.219508886 CEST	443	49712	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:06.348124981 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:06.353512049 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:06.369143963 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:06.370722055 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:06.376178026 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:06.605858088 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:06.605876923 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:06.606898069 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:06.624062061 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:06.624090910 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:06.629163027 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:06.629184961 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:06.629268885 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:06.629803896 CEST	443	49711	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:06.630456924 CEST	49711	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:06.736984015 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:06.737066031 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:06.738683939 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:06.740004063 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:06.740027905 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:06.760795116 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:06.760915041 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:06.761420012 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:06.761450052 CEST	443	49717	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:06.761821985 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:06.761821985 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:06.761905909 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:06.761919975 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:06.763205051 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:06.763216019 CEST	443	49717	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:06.974019051 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:07.058017015 CEST	49718	443	192.168.2.5	34.160.144.191
Oct 25, 2024 01:27:07.058060884 CEST	443	49718	34.160.144.191	192.168.2.5
Oct 25, 2024 01:27:07.058248043 CEST	49718	443	192.168.2.5	34.160.144.191
Oct 25, 2024 01:27:07.058456898 CEST	49718	443	192.168.2.5	34.160.144.191
Oct 25, 2024 01:27:07.058474064 CEST	443	49718	34.160.144.191	192.168.2.5
Oct 25, 2024 01:27:07.068763018 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:07.100600958 CEST	443	49712	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:07.100616932 CEST	443	49712	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:07.102015972 CEST	443	49712	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:07.115655899 CEST	49712	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:07.115719080 CEST	443	49712	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:07.120208025 CEST	49712	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:07.120258093 CEST	443	49712	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:07.120372057 CEST	49712	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:07.120675087 CEST	443	49712	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:07.120805025 CEST	49719	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:07.120840073 CEST	443	49719	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:07.120881081 CEST	49712	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:07.120965958 CEST	49719	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:07.122818947 CEST	49719	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:07.122834921 CEST	443	49719	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:07.237971067 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:07.243355036 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:07.243438959 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:07.243541956 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:07.248934031 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:07.364701986 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:07.367475986 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:07.370451927 CEST	443	49717	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:07.370733023 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:07.372255087 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:07.374409914 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:07.374437094 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:07.374572039 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:07.374675989 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:07.375403881 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:07.375497103 CEST	443	49721	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:07.375643015 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:07.375654936 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:07.375701904 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:07.379260063 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:07.379266977 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:07.379497051 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:07.381520987 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:07.381562948 CEST	443	49721	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:07.382128000 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:07.382139921 CEST	443	49717	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:07.382260084 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:07.382725000 CEST	443	49717	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:07.383125067 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:07.383177042 CEST	443	49722	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:07.384288073 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:07.384381056 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:07.384407997 CEST	443	49716	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:07.384601116 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:07.384613991 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:07.384671926 CEST	49716	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:07.384761095 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:07.386657000 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:07.386677027 CEST	443	49722	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:07.497359037 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:07.503215075 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:07.503323078 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:07.631439924 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:07.636917114 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:07.637476921 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:07.637665033 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:07.642976999 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:07.684614897 CEST	443	49718	34.160.144.191	192.168.2.5
Oct 25, 2024 01:27:07.684721947 CEST	49718	443	192.168.2.5	34.160.144.191
Oct 25, 2024 01:27:07.689023018 CEST	49718	443	192.168.2.5	34.160.144.191
Oct 25, 2024 01:27:07.689043045 CEST	443	49718	34.160.144.191	192.168.2.5
Oct 25, 2024 01:27:07.689456940 CEST	443	49718	34.160.144.191	192.168.2.5
Oct 25, 2024 01:27:07.693737030 CEST	49718	443	192.168.2.5	34.160.144.191
Oct 25, 2024 01:27:07.693929911 CEST	49718	443	192.168.2.5	34.160.144.191
Oct 25, 2024 01:27:07.693943977 CEST	443	49718	34.160.144.191	192.168.2.5
Oct 25, 2024 01:27:07.694029093 CEST	49718	443	192.168.2.5	34.160.144.191
Oct 25, 2024 01:27:07.694267988 CEST	49724	443	192.168.2.5	34.160.144.191
Oct 25, 2024 01:27:07.694298029 CEST	443	49724	34.160.144.191	192.168.2.5
Oct 25, 2024 01:27:07.694434881 CEST	49724	443	192.168.2.5	34.160.144.191
Oct 25, 2024 01:27:07.694643974 CEST	49724	443	192.168.2.5	34.160.144.191
Oct 25, 2024 01:27:07.694665909 CEST	443	49724	34.160.144.191	192.168.2.5
Oct 25, 2024 01:27:07.840265036 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:07.840629101 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:07.846592903 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:07.846654892 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:07.994169950 CEST	443	49719	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:07.994271994 CEST	49719	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:07.996763945 CEST	443	49719	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:07.996910095 CEST	49719	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:07.997809887 CEST	443	49721	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:07.998084068 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:08.004548073 CEST	443	49722	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:08.005070925 CEST	49719	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:08.005088091 CEST	443	49719	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:08.005193949 CEST	49719	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:08.005283117 CEST	443	49719	172.217.18.14	192.168.2.5
Oct 25, 2024 01:27:08.005330086 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:08.005357027 CEST	443	49721	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:08.005394936 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:08.005582094 CEST	49719	443	192.168.2.5	172.217.18.14
Oct 25, 2024 01:27:08.005585909 CEST	443	49721	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:08.005593061 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:08.006007910 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:08.010936022 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:08.010951996 CEST	443	49722	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:08.011044025 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:08.011106014 CEST	443	49722	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:08.011195898 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:08.269341946 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:08.305174112 CEST	443	49724	34.160.144.191	192.168.2.5
Oct 25, 2024 01:27:08.305866003 CEST	49724	443	192.168.2.5	34.160.144.191
Oct 25, 2024 01:27:08.308970928 CEST	49724	443	192.168.2.5	34.160.144.191
Oct 25, 2024 01:27:08.308979034 CEST	443	49724	34.160.144.191	192.168.2.5
Oct 25, 2024 01:27:08.309330940 CEST	443	49724	34.160.144.191	192.168.2.5
Oct 25, 2024 01:27:08.311332941 CEST	49724	443	192.168.2.5	34.160.144.191
Oct 25, 2024 01:27:08.311402082 CEST	49724	443	192.168.2.5	34.160.144.191
Oct 25, 2024 01:27:08.311580896 CEST	443	49724	34.160.144.191	192.168.2.5
Oct 25, 2024 01:27:08.311927080 CEST	49724	443	192.168.2.5	34.160.144.191
Oct 25, 2024 01:27:08.311927080 CEST	49724	443	192.168.2.5	34.160.144.191
Oct 25, 2024 01:27:08.319230080 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:08.803873062 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:08.803927898 CEST	443	49726	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:08.805121899 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:08.806497097 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:08.806520939 CEST	443	49726	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:08.822424889 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:08.827800035 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:08.836518049 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:08.849102974 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:08.854496002 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:08.985920906 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:08.991348028 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:09.117672920 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:09.146832943 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:09.171022892 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:09.173058033 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:09.178394079 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:09.178622961 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:09.178735971 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:09.183995962 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:09.195329905 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:09.313745022 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:09.313806057 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:09.418977976 CEST	443	49726	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:09.419106960 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:09.424041986 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:09.424052000 CEST	443	49726	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:09.424102068 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:09.424256086 CEST	443	49726	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:09.424359083 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:09.424463987 CEST	49730	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:09.424518108 CEST	443	49730	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:09.424592972 CEST	49730	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:09.425709009 CEST	49730	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:09.425728083 CEST	443	49730	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:09.773816109 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:09.823566914 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:09.971760035 CEST	49732	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:09.971791029 CEST	443	49732	34.107.243.93	192.168.2.5
Oct 25, 2024 01:27:09.977298975 CEST	49732	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:09.978737116 CEST	49732	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:09.978749037 CEST	443	49732	34.107.243.93	192.168.2.5
Oct 25, 2024 01:27:10.044398069 CEST	443	49730	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:10.055345058 CEST	443	49730	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:10.055552959 CEST	49730	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:10.067418098 CEST	49730	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:10.067451000 CEST	443	49730	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:10.067615986 CEST	49730	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:10.068013906 CEST	443	49730	34.117.188.166	192.168.2.5
Oct 25, 2024 01:27:10.072298050 CEST	49733	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:10.072411060 CEST	443	49733	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:10.077636003 CEST	49730	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:10.077668905 CEST	49730	443	192.168.2.5	34.117.188.166
Oct 25, 2024 01:27:10.082704067 CEST	49733	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:10.082849979 CEST	49733	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:10.082873106 CEST	443	49733	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:10.086383104 CEST	49734	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:10.086474895 CEST	443	49734	34.149.100.209	192.168.2.5
Oct 25, 2024 01:27:10.087595940 CEST	49734	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:10.089015007 CEST	49734	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:10.089067936 CEST	443	49734	34.149.100.209	192.168.2.5
Oct 25, 2024 01:27:10.099507093 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:10.099526882 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:10.100065947 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:10.101497889 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:10.101505995 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:10.168981075 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:10.174423933 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:10.301507950 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:10.349591017 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:10.355132103 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:10.361471891 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:10.474720001 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:10.536003113 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:10.614912033 CEST	443	49732	34.107.243.93	192.168.2.5
Oct 25, 2024 01:27:10.614989996 CEST	49732	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:10.654231071 CEST	49732	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:10.654268980 CEST	443	49732	34.107.243.93	192.168.2.5
Oct 25, 2024 01:27:10.654308081 CEST	49732	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:10.654861927 CEST	443	49732	34.107.243.93	192.168.2.5
Oct 25, 2024 01:27:10.654925108 CEST	49732	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:10.701781034 CEST	443	49734	34.149.100.209	192.168.2.5
Oct 25, 2024 01:27:10.701915979 CEST	49734	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:10.705399990 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:10.705550909 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:10.707245111 CEST	49734	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:10.707261086 CEST	443	49734	34.149.100.209	192.168.2.5
Oct 25, 2024 01:27:10.707324982 CEST	49734	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:10.707425117 CEST	443	49734	34.149.100.209	192.168.2.5
Oct 25, 2024 01:27:10.709618092 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:10.709625959 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:10.709676981 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:10.709820032 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:10.709878922 CEST	49734	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:10.709914923 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:10.724227905 CEST	443	49733	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:10.724267960 CEST	443	49733	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:10.724330902 CEST	49733	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:10.726814985 CEST	49733	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:10.726829052 CEST	443	49733	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:10.727104902 CEST	443	49733	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:10.729234934 CEST	49733	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:10.729305029 CEST	49733	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:10.729409933 CEST	443	49733	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:10.729474068 CEST	49733	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:15.373106003 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:15.378470898 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:15.504864931 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:15.560579062 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:20.184169054 CEST	49745	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.184209108 CEST	443	49745	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:20.185040951 CEST	49745	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.186336040 CEST	49745	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.186352968 CEST	443	49745	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:20.203634977 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:20.208976984 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:20.217502117 CEST	49746	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:20.217525959 CEST	443	49746	34.107.243.93	192.168.2.5
Oct 25, 2024 01:27:20.223169088 CEST	49746	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:20.234137058 CEST	49746	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:20.234163046 CEST	443	49746	34.107.243.93	192.168.2.5
Oct 25, 2024 01:27:20.234778881 CEST	49747	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.234801054 CEST	443	49747	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:20.236471891 CEST	49747	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.236624002 CEST	49747	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.236634970 CEST	443	49747	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:20.304224968 CEST	49748	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.304270983 CEST	443	49748	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:20.304843903 CEST	49748	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.305035114 CEST	49748	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.305051088 CEST	443	49748	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:20.328052998 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:20.379690886 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:20.796849012 CEST	443	49745	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:20.797064066 CEST	49745	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.801039934 CEST	49745	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.801049948 CEST	443	49745	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:20.801121950 CEST	49745	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.801214933 CEST	443	49745	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:20.801459074 CEST	49745	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.843096972 CEST	443	49746	34.107.243.93	192.168.2.5
Oct 25, 2024 01:27:20.843195915 CEST	49746	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:20.847764015 CEST	49746	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:20.847774029 CEST	443	49746	34.107.243.93	192.168.2.5
Oct 25, 2024 01:27:20.847804070 CEST	49746	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:20.847973108 CEST	443	49746	34.107.243.93	192.168.2.5
Oct 25, 2024 01:27:20.848047018 CEST	49746	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:20.865675926 CEST	443	49747	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:20.866719961 CEST	49747	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.869322062 CEST	49747	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.869338989 CEST	443	49747	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:20.869798899 CEST	443	49747	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:20.872636080 CEST	49747	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.872636080 CEST	49747	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.872828007 CEST	443	49747	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:20.872896910 CEST	49747	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.918549061 CEST	443	49748	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:20.918633938 CEST	49748	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.921571016 CEST	49748	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.921595097 CEST	443	49748	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:20.921812057 CEST	443	49748	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:20.924072981 CEST	49748	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.924154043 CEST	49748	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:20.924211025 CEST	443	49748	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:20.924294949 CEST	49748	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:21.991256952 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:21.996634007 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:22.036400080 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:22.036451101 CEST	443	49754	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:22.036732912 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:22.038278103 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:22.038292885 CEST	443	49754	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:22.123814106 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:22.163871050 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:22.169217110 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:22.169333935 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:22.288358927 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:22.338640928 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:22.663866043 CEST	443	49754	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:22.663959980 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:22.970024109 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:22.970052004 CEST	443	49754	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:22.970105886 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:22.970504045 CEST	443	49754	34.120.208.123	192.168.2.5
Oct 25, 2024 01:27:22.971791029 CEST	49754	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:27:22.996270895 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:23.001693964 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:23.128657103 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:23.172224045 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:23.563821077 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:23.569228888 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:23.688457966 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:23.742683887 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:23.866024971 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:23.871494055 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:24.002033949 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:24.004807949 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:24.011765957 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:24.043554068 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:24.130100965 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:24.175085068 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:32.035413980 CEST	49814	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:32.035430908 CEST	443	49814	34.107.243.93	192.168.2.5
Oct 25, 2024 01:27:32.035609961 CEST	49814	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:32.037132025 CEST	49814	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:32.037143946 CEST	443	49814	34.107.243.93	192.168.2.5
Oct 25, 2024 01:27:32.675844908 CEST	443	49814	34.107.243.93	192.168.2.5
Oct 25, 2024 01:27:32.675935030 CEST	49814	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:32.680737972 CEST	49814	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:32.680742979 CEST	443	49814	34.107.243.93	192.168.2.5
Oct 25, 2024 01:27:32.680824995 CEST	49814	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:32.680985928 CEST	443	49814	34.107.243.93	192.168.2.5
Oct 25, 2024 01:27:32.681544065 CEST	49814	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:32.683362007 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:32.688718081 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:32.815012932 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:32.818502903 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:32.823889017 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:32.870109081 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:32.943064928 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:32.986025095 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:33.849838018 CEST	49825	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:33.849873066 CEST	443	49825	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:33.850954056 CEST	49825	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:33.851109028 CEST	49825	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:33.851118088 CEST	443	49825	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:33.855957031 CEST	49826	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:33.855982065 CEST	443	49826	34.149.100.209	192.168.2.5
Oct 25, 2024 01:27:33.858927965 CEST	49827	443	192.168.2.5	35.190.72.216
Oct 25, 2024 01:27:33.858936071 CEST	443	49827	35.190.72.216	192.168.2.5
Oct 25, 2024 01:27:33.861320019 CEST	49826	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:33.861341953 CEST	49827	443	192.168.2.5	35.190.72.216
Oct 25, 2024 01:27:33.861632109 CEST	49826	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:33.861644983 CEST	443	49826	34.149.100.209	192.168.2.5
Oct 25, 2024 01:27:33.863075018 CEST	49827	443	192.168.2.5	35.190.72.216
Oct 25, 2024 01:27:33.863085032 CEST	443	49827	35.190.72.216	192.168.2.5
Oct 25, 2024 01:27:33.864145994 CEST	49828	443	192.168.2.5	151.101.129.91
Oct 25, 2024 01:27:33.864234924 CEST	443	49828	151.101.129.91	192.168.2.5
Oct 25, 2024 01:27:33.870580912 CEST	49828	443	192.168.2.5	151.101.129.91
Oct 25, 2024 01:27:33.870796919 CEST	49828	443	192.168.2.5	151.101.129.91
Oct 25, 2024 01:27:33.870831966 CEST	443	49828	151.101.129.91	192.168.2.5
Oct 25, 2024 01:27:33.871659040 CEST	49829	443	192.168.2.5	35.201.103.21
Oct 25, 2024 01:27:33.871680975 CEST	443	49829	35.201.103.21	192.168.2.5
Oct 25, 2024 01:27:33.872504950 CEST	49829	443	192.168.2.5	35.201.103.21
Oct 25, 2024 01:27:33.874154091 CEST	49829	443	192.168.2.5	35.201.103.21
Oct 25, 2024 01:27:33.874165058 CEST	443	49829	35.201.103.21	192.168.2.5
Oct 25, 2024 01:27:34.461884022 CEST	443	49825	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:34.461958885 CEST	49825	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:34.465217113 CEST	49825	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:34.465225935 CEST	443	49825	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:34.465698957 CEST	443	49825	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:34.467647076 CEST	49825	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:34.467734098 CEST	49825	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:34.471368074 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:34.475792885 CEST	443	49827	35.190.72.216	192.168.2.5
Oct 25, 2024 01:27:34.475883007 CEST	49827	443	192.168.2.5	35.190.72.216
Oct 25, 2024 01:27:34.476763964 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:34.480165005 CEST	49827	443	192.168.2.5	35.190.72.216
Oct 25, 2024 01:27:34.480170012 CEST	443	49827	35.190.72.216	192.168.2.5
Oct 25, 2024 01:27:34.480232954 CEST	49827	443	192.168.2.5	35.190.72.216
Oct 25, 2024 01:27:34.480346918 CEST	443	49827	35.190.72.216	192.168.2.5
Oct 25, 2024 01:27:34.480637074 CEST	49827	443	192.168.2.5	35.190.72.216
Oct 25, 2024 01:27:34.483273983 CEST	443	49828	151.101.129.91	192.168.2.5
Oct 25, 2024 01:27:34.483352900 CEST	49828	443	192.168.2.5	151.101.129.91
Oct 25, 2024 01:27:34.486246109 CEST	49828	443	192.168.2.5	151.101.129.91
Oct 25, 2024 01:27:34.486274958 CEST	443	49828	151.101.129.91	192.168.2.5
Oct 25, 2024 01:27:34.486493111 CEST	443	49828	151.101.129.91	192.168.2.5
Oct 25, 2024 01:27:34.488358021 CEST	443	49826	34.149.100.209	192.168.2.5
Oct 25, 2024 01:27:34.488590002 CEST	49826	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:34.488610029 CEST	49828	443	192.168.2.5	151.101.129.91
Oct 25, 2024 01:27:34.488687038 CEST	49828	443	192.168.2.5	151.101.129.91
Oct 25, 2024 01:27:34.491573095 CEST	49826	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:34.491575956 CEST	443	49826	34.149.100.209	192.168.2.5
Oct 25, 2024 01:27:34.491945982 CEST	443	49826	34.149.100.209	192.168.2.5
Oct 25, 2024 01:27:34.494043112 CEST	49826	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:34.494102001 CEST	49826	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:34.494210958 CEST	443	49826	34.149.100.209	192.168.2.5
Oct 25, 2024 01:27:34.494997025 CEST	49826	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:34.494997025 CEST	49826	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:34.496680975 CEST	443	49829	35.201.103.21	192.168.2.5
Oct 25, 2024 01:27:34.498361111 CEST	49835	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:34.498374939 CEST	443	49835	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:34.498382092 CEST	49829	443	192.168.2.5	35.201.103.21
Oct 25, 2024 01:27:34.498439074 CEST	49835	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:34.500603914 CEST	49836	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:34.500643969 CEST	443	49836	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:34.500703096 CEST	49836	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:34.501111031 CEST	49835	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:34.501120090 CEST	443	49835	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:34.501203060 CEST	49836	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:34.501219988 CEST	443	49836	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:34.501420975 CEST	49837	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:34.501455069 CEST	443	49837	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:34.501519918 CEST	49837	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:34.502058983 CEST	49837	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:34.502085924 CEST	443	49837	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:34.503571987 CEST	49829	443	192.168.2.5	35.201.103.21
Oct 25, 2024 01:27:34.503585100 CEST	443	49829	35.201.103.21	192.168.2.5
Oct 25, 2024 01:27:34.503637075 CEST	49829	443	192.168.2.5	35.201.103.21
Oct 25, 2024 01:27:34.503791094 CEST	443	49829	35.201.103.21	192.168.2.5
Oct 25, 2024 01:27:34.504072905 CEST	49829	443	192.168.2.5	35.201.103.21
Oct 25, 2024 01:27:34.514209986 CEST	49838	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:34.514242887 CEST	443	49838	34.149.100.209	192.168.2.5
Oct 25, 2024 01:27:34.514385939 CEST	49838	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:34.514487982 CEST	49838	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:34.514503956 CEST	443	49838	34.149.100.209	192.168.2.5
Oct 25, 2024 01:27:34.603404999 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:34.606324911 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:34.611763954 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:34.653192997 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:34.731061935 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:34.775638103 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:35.116678953 CEST	443	49835	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:35.120548010 CEST	49835	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:35.123688936 CEST	49835	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:35.123696089 CEST	443	49835	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:35.124083042 CEST	443	49835	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:35.125355005 CEST	443	49836	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:35.128576994 CEST	49836	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:35.130701065 CEST	49836	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:35.130709887 CEST	443	49836	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:35.131757975 CEST	443	49836	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:35.132536888 CEST	49835	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:35.132618904 CEST	49835	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:35.132914066 CEST	443	49835	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:35.133496046 CEST	49836	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:35.133563995 CEST	49836	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:35.133729935 CEST	49836	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:35.133735895 CEST	49835	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:35.137146950 CEST	443	49838	34.149.100.209	192.168.2.5
Oct 25, 2024 01:27:35.137222052 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:35.137734890 CEST	443	49837	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:35.138062000 CEST	49838	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:35.138108969 CEST	49837	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:35.140841961 CEST	49838	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:35.140849113 CEST	443	49838	34.149.100.209	192.168.2.5
Oct 25, 2024 01:27:35.141047001 CEST	443	49838	34.149.100.209	192.168.2.5
Oct 25, 2024 01:27:35.142487049 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:35.143326998 CEST	49837	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:35.143342972 CEST	443	49837	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:35.143678904 CEST	443	49837	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:35.145684958 CEST	49838	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:35.145802975 CEST	443	49838	34.149.100.209	192.168.2.5
Oct 25, 2024 01:27:35.145817995 CEST	49838	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:35.145824909 CEST	443	49838	34.149.100.209	192.168.2.5
Oct 25, 2024 01:27:35.145950079 CEST	49837	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:35.145994902 CEST	49837	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:35.146137953 CEST	443	49837	35.244.181.201	192.168.2.5
Oct 25, 2024 01:27:35.146162033 CEST	49838	443	192.168.2.5	34.149.100.209
Oct 25, 2024 01:27:35.146296024 CEST	49837	443	192.168.2.5	35.244.181.201
Oct 25, 2024 01:27:35.270093918 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:35.273236036 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:35.278723955 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:35.323925972 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:35.398189068 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:35.439862967 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:45.283912897 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:45.289335966 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:45.406478882 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:45.412024975 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:52.880877972 CEST	49935	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:52.880958080 CEST	443	49935	34.107.243.93	192.168.2.5
Oct 25, 2024 01:27:52.881043911 CEST	49935	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:52.882370949 CEST	49935	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:52.882405996 CEST	443	49935	34.107.243.93	192.168.2.5
Oct 25, 2024 01:27:53.497313976 CEST	443	49935	34.107.243.93	192.168.2.5
Oct 25, 2024 01:27:53.497529030 CEST	49935	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:53.502671003 CEST	49935	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:53.502700090 CEST	443	49935	34.107.243.93	192.168.2.5
Oct 25, 2024 01:27:53.502800941 CEST	49935	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:53.502985954 CEST	443	49935	34.107.243.93	192.168.2.5
Oct 25, 2024 01:27:53.503597021 CEST	49935	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:27:53.505518913 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:53.511059046 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:53.637408972 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:53.641515017 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:53.646893024 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:53.692712069 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:27:53.766159058 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:27:53.808610916 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:03.209644079 CEST	49994	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:28:03.209723949 CEST	443	49994	34.120.208.123	192.168.2.5
Oct 25, 2024 01:28:03.213254929 CEST	49995	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:28:03.213325024 CEST	443	49995	34.120.208.123	192.168.2.5
Oct 25, 2024 01:28:03.215416908 CEST	49994	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:28:03.215452909 CEST	49995	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:28:03.215538025 CEST	49994	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:28:03.215560913 CEST	443	49994	34.120.208.123	192.168.2.5
Oct 25, 2024 01:28:03.215781927 CEST	49995	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:28:03.215806961 CEST	443	49995	34.120.208.123	192.168.2.5
Oct 25, 2024 01:28:03.659148932 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:03.664607048 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:28:03.776035070 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:03.781572104 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:28:03.825388908 CEST	443	49995	34.120.208.123	192.168.2.5
Oct 25, 2024 01:28:03.825508118 CEST	49995	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:28:03.828444004 CEST	49995	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:28:03.828471899 CEST	443	49995	34.120.208.123	192.168.2.5
Oct 25, 2024 01:28:03.829421997 CEST	443	49995	34.120.208.123	192.168.2.5
Oct 25, 2024 01:28:03.830349922 CEST	443	49994	34.120.208.123	192.168.2.5
Oct 25, 2024 01:28:03.831233978 CEST	49995	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:28:03.831356049 CEST	49995	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:28:03.831480026 CEST	443	49995	34.120.208.123	192.168.2.5
Oct 25, 2024 01:28:03.833024979 CEST	49995	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:28:03.833024979 CEST	49995	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:28:03.833148003 CEST	49994	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:28:03.836069107 CEST	49994	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:28:03.836076975 CEST	443	49994	34.120.208.123	192.168.2.5
Oct 25, 2024 01:28:03.836441040 CEST	443	49994	34.120.208.123	192.168.2.5
Oct 25, 2024 01:28:03.841129065 CEST	49994	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:28:03.841203928 CEST	49994	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:28:03.841633081 CEST	443	49994	34.120.208.123	192.168.2.5
Oct 25, 2024 01:28:03.842982054 CEST	49994	443	192.168.2.5	34.120.208.123
Oct 25, 2024 01:28:03.870497942 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:03.875895977 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:28:04.003631115 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:28:04.026268959 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:04.031672955 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:28:04.060125113 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:04.151195049 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:28:04.191703081 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:14.005323887 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:14.010781050 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:28:14.151978970 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:14.157296896 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:28:24.017472029 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:24.023118973 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:28:24.164702892 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:24.170409918 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:28:33.758235931 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:28:33.758335114 CEST	443	50032	34.107.243.93	192.168.2.5
Oct 25, 2024 01:28:33.758671045 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:28:33.760051966 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:28:33.760103941 CEST	443	50032	34.107.243.93	192.168.2.5
Oct 25, 2024 01:28:34.024233103 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:34.029731989 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:28:34.177898884 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:34.183377981 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:28:34.408562899 CEST	443	50032	34.107.243.93	192.168.2.5
Oct 25, 2024 01:28:34.409710884 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:28:34.421952009 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:28:34.421952009 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:28:34.422035933 CEST	443	50032	34.107.243.93	192.168.2.5
Oct 25, 2024 01:28:34.422755957 CEST	443	50032	34.107.243.93	192.168.2.5
Oct 25, 2024 01:28:34.422832012 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 25, 2024 01:28:34.425376892 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:34.430759907 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:28:34.557785988 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:28:34.561237097 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:34.566946030 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:28:34.610333920 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:34.686203957 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:28:34.726169109 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:44.575567007 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:44.581156015 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:28:44.691412926 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:44.696909904 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:28:54.582637072 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:54.588169098 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:28:54.705065966 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:28:54.710588932 CEST	80	49729	34.107.221.82	192.168.2.5
Oct 25, 2024 01:29:04.595825911 CEST	49723	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:29:04.601350069 CEST	80	49723	34.107.221.82	192.168.2.5
Oct 25, 2024 01:29:04.711865902 CEST	49729	80	192.168.2.5	34.107.221.82
Oct 25, 2024 01:29:04.717331886 CEST	80	49729	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 01:27:04.817810059 CEST	60794	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:04.826200962 CEST	53	60794	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:04.827683926 CEST	54951	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:04.836447001 CEST	53	54951	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:05.706176996 CEST	58842	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:05.707146883 CEST	64239	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:05.713588953 CEST	53	58842	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:05.721317053 CEST	62936	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:05.728638887 CEST	53	62936	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:05.732520103 CEST	61398	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:05.732691050 CEST	50964	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:05.739897013 CEST	53	50964	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:05.740747929 CEST	53	61398	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:05.741647959 CEST	52205	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:05.748939037 CEST	53	52205	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:06.727098942 CEST	65296	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:06.735502958 CEST	53	65296	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:06.740328074 CEST	53050	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:06.748270035 CEST	53	53050	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:06.749069929 CEST	51554	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:06.751473904 CEST	54968	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:06.756321907 CEST	53	51554	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:06.758666992 CEST	53	54968	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:06.760859013 CEST	52000	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:06.761739969 CEST	60601	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:06.768918037 CEST	53	52000	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:06.769334078 CEST	53	60601	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:06.774362087 CEST	51236	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:06.774776936 CEST	64169	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:06.782566071 CEST	53	64169	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:06.783546925 CEST	53	51236	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:07.048083067 CEST	51554	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:07.055763006 CEST	53	51554	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:07.058125973 CEST	52739	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:07.065512896 CEST	53	52739	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:07.066242933 CEST	57381	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:07.074119091 CEST	53	57381	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:07.196590900 CEST	50778	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:07.197143078 CEST	65000	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:07.203994036 CEST	53	50778	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:07.204602003 CEST	53	65000	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:07.223370075 CEST	49915	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:09.143810034 CEST	65059	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:09.171989918 CEST	58494	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:09.175226927 CEST	53	58137	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:09.179568052 CEST	53	58494	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:09.180530071 CEST	53779	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:09.187731028 CEST	53	53779	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:09.190993071 CEST	52976	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:09.198925018 CEST	53	52976	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:10.063220024 CEST	63927	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:10.070951939 CEST	53	63927	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:10.087093115 CEST	57305	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:10.094319105 CEST	53	57305	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:10.098901987 CEST	53698	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:10.100008011 CEST	63378	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:10.106955051 CEST	53	53698	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:10.107074022 CEST	53	63378	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:10.109076023 CEST	61656	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:10.116981983 CEST	53	61656	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:13.969062090 CEST	57989	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:13.976861000 CEST	53	57989	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:15.363164902 CEST	53559	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:15.370871067 CEST	53	53559	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:15.374974966 CEST	59753	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:15.382719994 CEST	53	59753	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:20.175666094 CEST	65363	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:20.183103085 CEST	53	65363	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:20.201836109 CEST	59438	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:20.202131987 CEST	54955	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:20.202198982 CEST	63193	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:20.209098101 CEST	53	54955	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:20.209754944 CEST	61507	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:20.209881067 CEST	53	59438	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:20.210613966 CEST	53	63193	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:20.213121891 CEST	49915	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:20.216933012 CEST	53	61507	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:20.220779896 CEST	53	49915	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:20.223721027 CEST	51729	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:20.223999023 CEST	62612	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:20.231093884 CEST	53	51729	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:20.231194973 CEST	52924	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:20.232342958 CEST	60749	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:20.238379002 CEST	53	62612	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:20.238413095 CEST	53	52924	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:20.239424944 CEST	53	60749	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:20.239464045 CEST	53240	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:20.240092039 CEST	60189	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:20.240166903 CEST	60997	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:20.246573925 CEST	53	53240	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:20.247206926 CEST	64082	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:20.247973919 CEST	53	60189	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:20.248377085 CEST	53	60997	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:20.255930901 CEST	53	64082	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:20.264972925 CEST	64744	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:20.267318964 CEST	61917	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:20.267608881 CEST	64365	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:20.273216009 CEST	53	64744	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:20.274353027 CEST	53	61917	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:20.274595022 CEST	53	64365	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:32.035759926 CEST	60925	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:32.043946028 CEST	53	60925	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:33.850263119 CEST	56344	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:33.852068901 CEST	52245	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:33.857677937 CEST	53	56344	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:33.860610008 CEST	53	52245	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:33.860871077 CEST	60755	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:33.864748955 CEST	57240	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:33.869549990 CEST	53	60755	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:33.872015953 CEST	49396	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:33.873272896 CEST	53	57240	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:33.876332045 CEST	50574	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:33.881072998 CEST	53	49396	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:33.883657932 CEST	53311	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:33.885132074 CEST	53	50574	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:33.891367912 CEST	53	53311	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:52.881247044 CEST	59232	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:52.888309956 CEST	53	59232	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:52.888972998 CEST	62226	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:27:52.895937920 CEST	53	62226	1.1.1.1	192.168.2.5
Oct 25, 2024 01:27:53.505753040 CEST	51720	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:28:03.206715107 CEST	56363	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:28:03.215497971 CEST	53	56363	1.1.1.1	192.168.2.5
Oct 25, 2024 01:28:33.749037981 CEST	61208	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:28:33.757143974 CEST	53	61208	1.1.1.1	192.168.2.5
Oct 25, 2024 01:28:33.758050919 CEST	62679	53	192.168.2.5	1.1.1.1
Oct 25, 2024 01:28:33.765208960 CEST	53	62679	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 25, 2024 01:27:04.817810059 CEST	192.168.2.5	1.1.1.1	0xaf4b	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:04.827683926 CEST	192.168.2.5	1.1.1.1	0xb3d5	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 01:27:05.706176996 CEST	192.168.2.5	1.1.1.1	0x8c8f	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:05.707146883 CEST	192.168.2.5	1.1.1.1	0x268f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:05.721317053 CEST	192.168.2.5	1.1.1.1	0x19f7	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:05.732520103 CEST	192.168.2.5	1.1.1.1	0xf4b8	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:05.732691050 CEST	192.168.2.5	1.1.1.1	0x5b91	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 25, 2024 01:27:05.741647959 CEST	192.168.2.5	1.1.1.1	0xa207	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 01:27:06.727098942 CEST	192.168.2.5	1.1.1.1	0x3ef6	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:06.740328074 CEST	192.168.2.5	1.1.1.1	0x4c0b	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:06.749069929 CEST	192.168.2.5	1.1.1.1	0xa48f	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 01:27:06.751473904 CEST	192.168.2.5	1.1.1.1	0x3f4d	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:06.760859013 CEST	192.168.2.5	1.1.1.1	0x7eda	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:06.761739969 CEST	192.168.2.5	1.1.1.1	0x8575	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:06.774362087 CEST	192.168.2.5	1.1.1.1	0x86b5	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 01:27:06.774776936 CEST	192.168.2.5	1.1.1.1	0x52de	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 01:27:07.048083067 CEST	192.168.2.5	1.1.1.1	0x6343	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:07.058125973 CEST	192.168.2.5	1.1.1.1	0x8f50	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:07.066242933 CEST	192.168.2.5	1.1.1.1	0xccb8	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 01:27:07.196590900 CEST	192.168.2.5	1.1.1.1	0x8d19	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:07.197143078 CEST	192.168.2.5	1.1.1.1	0xb088	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:07.223370075 CEST	192.168.2.5	1.1.1.1	0xed7d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:09.143810034 CEST	192.168.2.5	1.1.1.1	0xe1aa	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:09.171989918 CEST	192.168.2.5	1.1.1.1	0x3827	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:09.180530071 CEST	192.168.2.5	1.1.1.1	0x31cb	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:09.190993071 CEST	192.168.2.5	1.1.1.1	0x8f66	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 01:27:10.063220024 CEST	192.168.2.5	1.1.1.1	0xd5d5	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:10.087093115 CEST	192.168.2.5	1.1.1.1	0xf76a	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:10.098901987 CEST	192.168.2.5	1.1.1.1	0x203b	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 01:27:10.100008011 CEST	192.168.2.5	1.1.1.1	0x11da	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:10.109076023 CEST	192.168.2.5	1.1.1.1	0xc6a4	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 01:27:13.969062090 CEST	192.168.2.5	1.1.1.1	0x69a7	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:15.363164902 CEST	192.168.2.5	1.1.1.1	0x5073	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:15.374974966 CEST	192.168.2.5	1.1.1.1	0xb99e	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 01:27:20.175666094 CEST	192.168.2.5	1.1.1.1	0xc093	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 01:27:20.201836109 CEST	192.168.2.5	1.1.1.1	0xee4f	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.202131987 CEST	192.168.2.5	1.1.1.1	0x3606	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.202198982 CEST	192.168.2.5	1.1.1.1	0x6c0b	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.209754944 CEST	192.168.2.5	1.1.1.1	0xab12	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.213121891 CEST	192.168.2.5	1.1.1.1	0xeea1	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.223721027 CEST	192.168.2.5	1.1.1.1	0x96f1	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 25, 2024 01:27:20.223999023 CEST	192.168.2.5	1.1.1.1	0xd7b7	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 25, 2024 01:27:20.231194973 CEST	192.168.2.5	1.1.1.1	0xc3b6	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.232342958 CEST	192.168.2.5	1.1.1.1	0x57db	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.239464045 CEST	192.168.2.5	1.1.1.1	0x6ab4	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.240092039 CEST	192.168.2.5	1.1.1.1	0xbea	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 25, 2024 01:27:20.240166903 CEST	192.168.2.5	1.1.1.1	0x9125	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.247206926 CEST	192.168.2.5	1.1.1.1	0x5bca	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.264972925 CEST	192.168.2.5	1.1.1.1	0x4c25	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 25, 2024 01:27:20.267318964 CEST	192.168.2.5	1.1.1.1	0xf178	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 01:27:20.267608881 CEST	192.168.2.5	1.1.1.1	0x9519	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 25, 2024 01:27:32.035759926 CEST	192.168.2.5	1.1.1.1	0x958a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 01:27:33.850263119 CEST	192.168.2.5	1.1.1.1	0xba58	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 01:27:33.852068901 CEST	192.168.2.5	1.1.1.1	0x342c	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:33.860871077 CEST	192.168.2.5	1.1.1.1	0xa279	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:33.864748955 CEST	192.168.2.5	1.1.1.1	0xd9b	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:33.872015953 CEST	192.168.2.5	1.1.1.1	0xe375	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:33.876332045 CEST	192.168.2.5	1.1.1.1	0x91ef	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 25, 2024 01:27:33.883657932 CEST	192.168.2.5	1.1.1.1	0x6437	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 01:27:52.881247044 CEST	192.168.2.5	1.1.1.1	0xcf45	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:52.888972998 CEST	192.168.2.5	1.1.1.1	0x5b93	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 01:27:53.505753040 CEST	192.168.2.5	1.1.1.1	0xb293	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:28:03.206715107 CEST	192.168.2.5	1.1.1.1	0xa6e9	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 01:28:33.749037981 CEST	192.168.2.5	1.1.1.1	0x134c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:28:33.758050919 CEST	192.168.2.5	1.1.1.1	0x44b0	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 25, 2024 01:27:04.748913050 CEST	1.1.1.1	192.168.2.5	0xcc6a	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:04.826200962 CEST	1.1.1.1	192.168.2.5	0xaf4b	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:05.713588953 CEST	1.1.1.1	192.168.2.5	0x8c8f	No error (0)	youtube.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:05.714776993 CEST	1.1.1.1	192.168.2.5	0x268f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 01:27:05.714776993 CEST	1.1.1.1	192.168.2.5	0x268f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:05.728638887 CEST	1.1.1.1	192.168.2.5	0x19f7	No error (0)	youtube.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:05.739897013 CEST	1.1.1.1	192.168.2.5	0x5b91	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 25, 2024 01:27:05.740747929 CEST	1.1.1.1	192.168.2.5	0xf4b8	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:05.748939037 CEST	1.1.1.1	192.168.2.5	0xa207	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 25, 2024 01:27:06.735502958 CEST	1.1.1.1	192.168.2.5	0x3ef6	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:06.748270035 CEST	1.1.1.1	192.168.2.5	0x4c0b	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:06.758630991 CEST	1.1.1.1	192.168.2.5	0x93be	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 01:27:06.758630991 CEST	1.1.1.1	192.168.2.5	0x93be	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:06.758666992 CEST	1.1.1.1	192.168.2.5	0x3f4d	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 01:27:06.758666992 CEST	1.1.1.1	192.168.2.5	0x3f4d	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:06.768918037 CEST	1.1.1.1	192.168.2.5	0x7eda	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:06.769334078 CEST	1.1.1.1	192.168.2.5	0x8575	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:07.055763006 CEST	1.1.1.1	192.168.2.5	0x6343	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 01:27:07.055763006 CEST	1.1.1.1	192.168.2.5	0x6343	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 01:27:07.055763006 CEST	1.1.1.1	192.168.2.5	0x6343	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:07.065512896 CEST	1.1.1.1	192.168.2.5	0x8f50	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:07.074119091 CEST	1.1.1.1	192.168.2.5	0xccb8	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 25, 2024 01:27:07.203994036 CEST	1.1.1.1	192.168.2.5	0x8d19	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:07.204602003 CEST	1.1.1.1	192.168.2.5	0xb088	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:07.204602003 CEST	1.1.1.1	192.168.2.5	0xb088	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:07.231816053 CEST	1.1.1.1	192.168.2.5	0xed7d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 01:27:07.231816053 CEST	1.1.1.1	192.168.2.5	0xed7d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:09.151707888 CEST	1.1.1.1	192.168.2.5	0xe1aa	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 01:27:09.179568052 CEST	1.1.1.1	192.168.2.5	0x3827	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:09.187731028 CEST	1.1.1.1	192.168.2.5	0x31cb	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:10.040790081 CEST	1.1.1.1	192.168.2.5	0xd5ef	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 01:27:10.040790081 CEST	1.1.1.1	192.168.2.5	0xd5ef	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:10.070951939 CEST	1.1.1.1	192.168.2.5	0xd5d5	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 01:27:10.070951939 CEST	1.1.1.1	192.168.2.5	0xd5d5	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:10.094319105 CEST	1.1.1.1	192.168.2.5	0xf76a	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:10.095097065 CEST	1.1.1.1	192.168.2.5	0xae4b	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:10.107074022 CEST	1.1.1.1	192.168.2.5	0x11da	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:13.976861000 CEST	1.1.1.1	192.168.2.5	0x69a7	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 01:27:13.976861000 CEST	1.1.1.1	192.168.2.5	0x69a7	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 01:27:13.976861000 CEST	1.1.1.1	192.168.2.5	0x69a7	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:15.370871067 CEST	1.1.1.1	192.168.2.5	0x5073	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.183384895 CEST	1.1.1.1	192.168.2.5	0xf016	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.209098101 CEST	1.1.1.1	192.168.2.5	0x3606	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 01:27:20.209098101 CEST	1.1.1.1	192.168.2.5	0x3606	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.209881067 CEST	1.1.1.1	192.168.2.5	0xee4f	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 01:27:20.209881067 CEST	1.1.1.1	192.168.2.5	0xee4f	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.209881067 CEST	1.1.1.1	192.168.2.5	0xee4f	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.209881067 CEST	1.1.1.1	192.168.2.5	0xee4f	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.209881067 CEST	1.1.1.1	192.168.2.5	0xee4f	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.209881067 CEST	1.1.1.1	192.168.2.5	0xee4f	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.209881067 CEST	1.1.1.1	192.168.2.5	0xee4f	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.209881067 CEST	1.1.1.1	192.168.2.5	0xee4f	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.209881067 CEST	1.1.1.1	192.168.2.5	0xee4f	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.209881067 CEST	1.1.1.1	192.168.2.5	0xee4f	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.209881067 CEST	1.1.1.1	192.168.2.5	0xee4f	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.209881067 CEST	1.1.1.1	192.168.2.5	0xee4f	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.209881067 CEST	1.1.1.1	192.168.2.5	0xee4f	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.209881067 CEST	1.1.1.1	192.168.2.5	0xee4f	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.209881067 CEST	1.1.1.1	192.168.2.5	0xee4f	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.209881067 CEST	1.1.1.1	192.168.2.5	0xee4f	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.209881067 CEST	1.1.1.1	192.168.2.5	0xee4f	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.210613966 CEST	1.1.1.1	192.168.2.5	0x6c0b	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 01:27:20.210613966 CEST	1.1.1.1	192.168.2.5	0x6c0b	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.216933012 CEST	1.1.1.1	192.168.2.5	0xab12	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.220779896 CEST	1.1.1.1	192.168.2.5	0xeea1	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.220779896 CEST	1.1.1.1	192.168.2.5	0xeea1	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.220779896 CEST	1.1.1.1	192.168.2.5	0xeea1	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.220779896 CEST	1.1.1.1	192.168.2.5	0xeea1	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.220779896 CEST	1.1.1.1	192.168.2.5	0xeea1	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.220779896 CEST	1.1.1.1	192.168.2.5	0xeea1	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.220779896 CEST	1.1.1.1	192.168.2.5	0xeea1	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.220779896 CEST	1.1.1.1	192.168.2.5	0xeea1	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.220779896 CEST	1.1.1.1	192.168.2.5	0xeea1	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.220779896 CEST	1.1.1.1	192.168.2.5	0xeea1	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.220779896 CEST	1.1.1.1	192.168.2.5	0xeea1	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.220779896 CEST	1.1.1.1	192.168.2.5	0xeea1	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.220779896 CEST	1.1.1.1	192.168.2.5	0xeea1	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.220779896 CEST	1.1.1.1	192.168.2.5	0xeea1	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.220779896 CEST	1.1.1.1	192.168.2.5	0xeea1	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.220779896 CEST	1.1.1.1	192.168.2.5	0xeea1	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.231093884 CEST	1.1.1.1	192.168.2.5	0x96f1	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 01:27:20.231093884 CEST	1.1.1.1	192.168.2.5	0x96f1	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 01:27:20.231093884 CEST	1.1.1.1	192.168.2.5	0x96f1	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 01:27:20.231093884 CEST	1.1.1.1	192.168.2.5	0x96f1	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 01:27:20.238379002 CEST	1.1.1.1	192.168.2.5	0xd7b7	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 25, 2024 01:27:20.238413095 CEST	1.1.1.1	192.168.2.5	0xc3b6	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.239424944 CEST	1.1.1.1	192.168.2.5	0x57db	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 01:27:20.239424944 CEST	1.1.1.1	192.168.2.5	0x57db	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.239424944 CEST	1.1.1.1	192.168.2.5	0x57db	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.239424944 CEST	1.1.1.1	192.168.2.5	0x57db	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.239424944 CEST	1.1.1.1	192.168.2.5	0x57db	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.246573925 CEST	1.1.1.1	192.168.2.5	0x6ab4	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.247973919 CEST	1.1.1.1	192.168.2.5	0xbea	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 25, 2024 01:27:20.248377085 CEST	1.1.1.1	192.168.2.5	0x9125	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.248377085 CEST	1.1.1.1	192.168.2.5	0x9125	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.248377085 CEST	1.1.1.1	192.168.2.5	0x9125	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.248377085 CEST	1.1.1.1	192.168.2.5	0x9125	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:20.255930901 CEST	1.1.1.1	192.168.2.5	0x5bca	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:33.844238043 CEST	1.1.1.1	192.168.2.5	0x349d	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 01:27:33.844238043 CEST	1.1.1.1	192.168.2.5	0x349d	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:33.860610008 CEST	1.1.1.1	192.168.2.5	0x342c	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:33.860610008 CEST	1.1.1.1	192.168.2.5	0x342c	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:33.860610008 CEST	1.1.1.1	192.168.2.5	0x342c	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:33.860610008 CEST	1.1.1.1	192.168.2.5	0x342c	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:33.869549990 CEST	1.1.1.1	192.168.2.5	0xa279	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 01:27:33.869549990 CEST	1.1.1.1	192.168.2.5	0xa279	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:33.873272896 CEST	1.1.1.1	192.168.2.5	0xd9b	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:33.873272896 CEST	1.1.1.1	192.168.2.5	0xd9b	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:33.873272896 CEST	1.1.1.1	192.168.2.5	0xd9b	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:33.873272896 CEST	1.1.1.1	192.168.2.5	0xd9b	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:33.881072998 CEST	1.1.1.1	192.168.2.5	0xe375	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:35.149879932 CEST	1.1.1.1	192.168.2.5	0xe19f	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 01:27:35.149879932 CEST	1.1.1.1	192.168.2.5	0xe19f	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 01:27:52.888309956 CEST	1.1.1.1	192.168.2.5	0xcf45	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:27:53.513288975 CEST	1.1.1.1	192.168.2.5	0xb293	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 01:27:53.513288975 CEST	1.1.1.1	192.168.2.5	0xb293	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:28:03.199455976 CEST	1.1.1.1	192.168.2.5	0xd90a	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 01:28:33.757143974 CEST	1.1.1.1	192.168.2.5	0x134c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	34.107.221.82	80	5060	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 01:27:06.370722055 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 01:27:06.974019051 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 39432 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49720	34.107.221.82	80	5060	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 01:27:07.243541956 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 01:27:07.840265036 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 48734 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49723	34.107.221.82	80	5060	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 01:27:07.637665033 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 01:27:08.269341946 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 39434 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 01:27:08.985920906 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 01:27:09.117672920 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 39435 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 01:27:10.168981075 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 01:27:10.301507950 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 39436 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 01:27:15.373106003 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 01:27:15.504864931 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 39441 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 01:27:21.991256952 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 01:27:22.123814106 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 39448 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 01:27:22.996270895 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 01:27:23.128657103 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 39449 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 01:27:23.866024971 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 01:27:24.002033949 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 39449 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 01:27:32.683362007 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 01:27:32.815012932 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 39458 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 01:27:34.471368074 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 01:27:34.603404999 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 39460 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 01:27:35.137222052 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 01:27:35.270093918 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 39461 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 01:27:45.283912897 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 01:27:53.505518913 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 01:27:53.637408972 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 39479 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 01:28:03.659148932 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 01:28:03.870497942 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 01:28:04.003631115 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 39489 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 01:28:14.005323887 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 01:28:24.017472029 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 01:28:34.024233103 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 01:28:34.425376892 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 01:28:34.557785988 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 39520 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 01:28:44.575567007 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 01:28:54.582637072 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 01:29:04.595825911 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49727	34.107.221.82	80	5060	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 01:27:08.849102974 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49729	34.107.221.82	80	5060	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 01:27:09.178735971 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 01:27:09.773816109 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 48736 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 01:27:10.349591017 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 01:27:10.474720001 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 48737 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 01:27:20.203634977 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 01:27:20.328052998 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 48747 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 01:27:22.163871050 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 01:27:22.288358927 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 48749 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 01:27:23.563821077 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 01:27:23.688457966 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 48750 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 01:27:24.004807949 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 01:27:24.130100965 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 48751 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 01:27:32.818502903 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 01:27:32.943064928 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 48759 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 01:27:34.606324911 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 01:27:34.731061935 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 48761 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 01:27:35.273236036 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 01:27:35.398189068 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 48762 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 01:27:45.406478882 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 01:27:53.641515017 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 01:27:53.766159058 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 48780 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 01:28:03.776035070 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 01:28:04.026268959 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 01:28:04.151195049 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 48791 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 01:28:14.151978970 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 01:28:24.164702892 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 01:28:34.177898884 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 01:28:34.561237097 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 01:28:34.686203957 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 48821 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 01:28:44.691412926 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 01:28:54.705065966 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 01:29:04.711865902 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	19:26:57
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xb90000
File size:	919'552 bytes
MD5 hash:	0334989819BCF38BE73C399CAF7CC0F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.2121245269.0000000001430000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.2121286491.0000000001439000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:26:57
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x4c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:26:57
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:26:59
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x4c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:26:59
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:26:59
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x4c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:26:59
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	19:27:00
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x4c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:27:00
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	19:27:00
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x4c0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	19:27:00
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	19:27:00
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	19:27:00
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	19:27:00
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	19:27:01
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2204 -parentBuildID 20230927232528 -prefsHandle 2112 -prefMapHandle 2104 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab8395c6-1105-43dd-a082-b75f7f70fefd} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" 1e2c876dd10 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	19:27:04
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4244 -parentBuildID 20230927232528 -prefsHandle 1272 -prefMapHandle 4276 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10fd7c61-c9d7-4db7-89e7-571930c51699} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" 1e2d9d58710 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	19:27:08
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4272 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4552 -prefMapHandle 5108 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c8ee0e7-efb6-48aa-a6a1-12ed26ef26b2} 5060 "\\.\pipe\gecko-crash-server-pipe.5060" 1e2da0c5510 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.2%
Total number of Nodes:	1617
Total number of Limit Nodes:	69

Executed Functions

Function 00B942DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00B9430D

Part of subcall function 00B96B57: _wcslen.LIBCMT ref: 00B96B6A

GetCurrentProcess.KERNEL32(?,00C2CB64,00000000,?,?), ref: 00B94422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00B94429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00B94454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B94466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00B94474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00B9447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00B944A0

Strings

|O, xrefs: 00BD36F8
GetNativeSystemInfo, xrefs: 00B94460
kernel32.dll, xrefs: 00B9444F

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: fb5027e683237ba800bb11721149c52f8e352b7b3a230445a264cba41e52364f
Instruction ID: def125470eb996afcd5bde5407d06639d30d2e87b2a4be8223ad0d79be36d8e5
Opcode Fuzzy Hash: fb5027e683237ba800bb11721149c52f8e352b7b3a230445a264cba41e52364f
Instruction Fuzzy Hash: D4A1626595A2C0DFCB31CB6A788179D7FE4AB36702B1C54F9D84393B32D6A04A05CB62

Function 00B942A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00B950AA,?,?,00000000,00000000), ref: 00B942B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B950AA,?,?,00000000,00000000), ref: 00B942C9
LoadResource.KERNEL32(?,00000000,?,?,00B950AA,?,?,00000000,00000000,?,?,?,?,?,?,00B94F20), ref: 00BD35BE
SizeofResource.KERNEL32(?,00000000,?,?,00B950AA,?,?,00000000,00000000,?,?,?,?,?,?,00B94F20), ref: 00BD35D3
LockResource.KERNEL32(00B950AA,?,?,00B950AA,?,?,00000000,00000000,?,?,?,?,?,?,00B94F20,?), ref: 00BD35E6

Strings

SCRIPT, xrefs: 00B942BF

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: b8a86ca5f4c35ccf98bba34343f9e7d480f657a5bc51e501732515085bc6c4d5
Instruction ID: 71e23e9f732c553f93c75848d62088e0066d89c141aa5ee89c016c36400e776f
Opcode Fuzzy Hash: b8a86ca5f4c35ccf98bba34343f9e7d480f657a5bc51e501732515085bc6c4d5
Instruction Fuzzy Hash: B5117C70210700BFEB258B65EC88F2B7BB9EFC5B51F2081A9B41296690EB71D8058630

Function 00BD2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00B92B6B

Part of subcall function 00B93A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C61418,?,00B92E7F,?,?,?,00000000), ref: 00B93A78

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00C52224), ref: 00BD2C10
ShellExecuteW.SHELL32(00000000,?,?,00C52224), ref: 00BD2C17

Strings

runas, xrefs: 00BD2C0B

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: ed1b50250008575943b58a38b1e5c389664abbe601b9490cf5485b751e5f7f3c
Instruction ID: c3bfbc0599ac0280daad49c8ea2e004aa356dbfe58455959d7fec00cd208c434
Opcode Fuzzy Hash: ed1b50250008575943b58a38b1e5c389664abbe601b9490cf5485b751e5f7f3c
Instruction Fuzzy Hash: BC11B1316083416ACF24FF64D892ABEB7E49FA1752F4844BDF582530A2DF618A4A8712

Function 00BFD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00BFD501
Process32FirstW.KERNEL32(00000000,?), ref: 00BFD50F
Process32NextW.KERNEL32(00000000,?), ref: 00BFD52F
CloseHandle.KERNELBASE(00000000), ref: 00BFD5DC

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 8d35b2b4351065044dcfa012dee39db958945324aff02c175383e1247e2df447
Instruction ID: bf7869d6de85c23b12a891924f6bfc37df1ea38a56fc453ebbe48da6ca209b43
Opcode Fuzzy Hash: 8d35b2b4351065044dcfa012dee39db958945324aff02c175383e1247e2df447
Instruction Fuzzy Hash: 6231AD310083049FD710EF64C881BBFBBE8EF99354F10096DF581831A1EB719949CBA2

Function 00BFDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00BD5222), ref: 00BFDBCE
GetFileAttributesW.KERNELBASE(?), ref: 00BFDBDD
FindFirstFileW.KERNEL32(?,?), ref: 00BFDBEE
FindClose.KERNEL32(00000000), ref: 00BFDBFA

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 91c95a6b4c2005706cffd3b9f45e33622d6db361f4d45d9b3019226dc8167706
Instruction ID: fc5e3ae5c88f487ff78b974416dd709ac18f21b46fd1c5ad3d1c539357a508b4
Opcode Fuzzy Hash: 91c95a6b4c2005706cffd3b9f45e33622d6db361f4d45d9b3019226dc8167706
Instruction Fuzzy Hash: A2F0A0308209189783306B7CAC4EABE37ADDE11334B104B42F976C24F0EFB0595A86D5

Function 00BB4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00BC28E9,?,00BB4CBE,00BC28E9,00C588B8,0000000C,00BB4E15,00BC28E9,00000002,00000000,?,00BC28E9), ref: 00BB4D09
TerminateProcess.KERNEL32(00000000,?,00BB4CBE,00BC28E9,00C588B8,0000000C,00BB4E15,00BC28E9,00000002,00000000,?,00BC28E9), ref: 00BB4D10
ExitProcess.KERNEL32 ref: 00BB4D22

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6446e5cb698f4d31924b4cf8ff230098db2f93053efd596c6df8b3b038c993ca
Instruction ID: 5d77379148b2232e906b300f4230ba2e377ca8973beb09758b930981454a9933
Opcode Fuzzy Hash: 6446e5cb698f4d31924b4cf8ff230098db2f93053efd596c6df8b3b038c993ca
Instruction Fuzzy Hash: B9E0B631010548ABCF21AF54DD4ABAC3BA9FB42795B108468FC058A533CB75DD52DB84

Function 00C1AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00C1B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C1B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C1B1D4
_wcslen.LIBCMT ref: 00C1B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C1B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C1B236
_wcslen.LIBCMT ref: 00C1B332

Part of subcall function 00C005A7: GetStdHandle.KERNEL32(000000F6), ref: 00C005C6

_wcslen.LIBCMT ref: 00C1B34B
_wcslen.LIBCMT ref: 00C1B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C1B3B6
GetLastError.KERNEL32(00000000), ref: 00C1B407
CloseHandle.KERNEL32(?), ref: 00C1B439
CloseHandle.KERNEL32(00000000), ref: 00C1B44A
CloseHandle.KERNEL32(00000000), ref: 00C1B45C
CloseHandle.KERNEL32(00000000), ref: 00C1B46E
CloseHandle.KERNEL32(?), ref: 00C1B4E3

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: e76bd85f397dfdeb1a8afbcc0885e75b2726dece3ee0dd9345a07d6a1eb3f7f0
Instruction ID: 93a050df4b2c8fd40504d1ed102c533670ca6b12120973ad45a2e1c73b0861a3
Opcode Fuzzy Hash: e76bd85f397dfdeb1a8afbcc0885e75b2726dece3ee0dd9345a07d6a1eb3f7f0
Instruction Fuzzy Hash: EBF19D715083409FCB14EF24C891BAEBBE1AF86310F14899DF4999B2A2DB31ED44DF52

Function 00B9D730 Relevance: 21.6, APIs: 14, Instructions: 616windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00B9D807
timeGetTime.WINMM ref: 00B9DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B9DB28
TranslateMessage.USER32(?), ref: 00B9DB7B
DispatchMessageW.USER32(?), ref: 00B9DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B9DB9F
Sleep.KERNELBASE(0000000A), ref: 00B9DBB1

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 07e09cd595dd124d2cc283cf62a2489ee38501a2cbb49951963c4170d60fc4a7
Instruction ID: 3988191c9ff279a6650c28c11b67fd8fbf9e97e3a298535a26d305b015a68137
Opcode Fuzzy Hash: 07e09cd595dd124d2cc283cf62a2489ee38501a2cbb49951963c4170d60fc4a7
Instruction Fuzzy Hash: 0442D030608681EFDB34DF26C884BAAB7E5FF45314F188ABDE55687291D770E844CB92

Function 00B92CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B92D07
RegisterClassExW.USER32(00000030), ref: 00B92D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B92D42
InitCommonControlsEx.COMCTL32(?), ref: 00B92D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B92D6F
LoadIconW.USER32(000000A9), ref: 00B92D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B92D94

Strings

0, xrefs: 00B92CE9
TaskbarCreated, xrefs: 00B92D37
AutoIt v3 GUI, xrefs: 00B92D23
+, xrefs: 00B92CF0

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 7ebe64bc972b9345dd7f5c54e15703ade486a8a2935a6f90b16f4bee6af099fe
Instruction ID: de0d987367c6ce6140541692d61a3bb43ab611b700fe77d0cf96303304772037
Opcode Fuzzy Hash: 7ebe64bc972b9345dd7f5c54e15703ade486a8a2935a6f90b16f4bee6af099fe
Instruction Fuzzy Hash: 7C21C3B5911218AFDB20DFA5E889BDDBBB4FB08702F08411AF911A66A0D7B14545CF91

Function 00BD065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BD039A: CreateFileW.KERNELBASE(00000000,00000000,?,00BD0704,?,?,00000000,?,00BD0704,00000000,0000000C), ref: 00BD03B7

GetLastError.KERNEL32 ref: 00BD076F
__dosmaperr.LIBCMT ref: 00BD0776
GetFileType.KERNELBASE(00000000), ref: 00BD0782
GetLastError.KERNEL32 ref: 00BD078C
__dosmaperr.LIBCMT ref: 00BD0795
CloseHandle.KERNEL32(00000000), ref: 00BD07B5
CloseHandle.KERNEL32(?), ref: 00BD08FF
GetLastError.KERNEL32 ref: 00BD0931
__dosmaperr.LIBCMT ref: 00BD0938

Strings

H, xrefs: 00BD08BD

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 3d09287cb6feef3936fae8bb94e97aec91b3d924b4cbb3fc6e4f184bf9d864b8
Instruction ID: 078def0a972927879128a5505c80cee9fc88cf00354ce546b577b25122cb332a
Opcode Fuzzy Hash: 3d09287cb6feef3936fae8bb94e97aec91b3d924b4cbb3fc6e4f184bf9d864b8
Instruction Fuzzy Hash: 25A106329141059FDF29EF68D891BAEBBE0EB46320F14019AF815AF391E7719C13CB91

Function 00B9344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B93A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C61418,?,00B92E7F,?,?,?,00000000), ref: 00B93A78

Part of subcall function 00B93357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B93379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B9356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00BD318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00BD31CE
RegCloseKey.ADVAPI32(?), ref: 00BD3210
_wcslen.LIBCMT ref: 00BD3277
_wcslen.LIBCMT ref: 00BD3286

Strings

\, xrefs: 00BD328C
Software\AutoIt v3\AutoIt, xrefs: 00B93560
\Include\, xrefs: 00B93527
Include, xrefs: 00BD3184, 00BD31C5

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 9cdc54cd352ff596f8cefdc32ccfe8b82dcef561993fc762a6bcc1acc425960d
Instruction ID: 1313adcd1ff82e98a7adb2029601b4244aaa76065b6cf90c4a3cb3a04a80ee8e
Opcode Fuzzy Hash: 9cdc54cd352ff596f8cefdc32ccfe8b82dcef561993fc762a6bcc1acc425960d
Instruction Fuzzy Hash: 57715D715047019EC724EF66DC81AAFBBE8FF95740B40087EF545932B1EBB09A49CB52

Function 00B92B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B92B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00B92B9D
LoadIconW.USER32(00000063), ref: 00B92BB3
LoadIconW.USER32(000000A4), ref: 00B92BC5
LoadIconW.USER32(000000A2), ref: 00B92BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B92BEF
RegisterClassExW.USER32(?), ref: 00B92C40

Part of subcall function 00B92CD4: GetSysColorBrush.USER32(0000000F), ref: 00B92D07
Part of subcall function 00B92CD4: RegisterClassExW.USER32(00000030), ref: 00B92D31
Part of subcall function 00B92CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B92D42
Part of subcall function 00B92CD4: InitCommonControlsEx.COMCTL32(?), ref: 00B92D5F
Part of subcall function 00B92CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B92D6F
Part of subcall function 00B92CD4: LoadIconW.USER32(000000A9), ref: 00B92D85
Part of subcall function 00B92CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B92D94

Strings

#, xrefs: 00B92C16
AutoIt v3, xrefs: 00B92C2F
0, xrefs: 00B92C0F

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 81cad0378b4b496da31352ba1c8271f67349279067c8a795d12309c6c750bb3f
Instruction ID: 8b826056f9cdc966add8587dfb5ea2e70e2b1dfd6ec44025f32f60fef1b83a5b
Opcode Fuzzy Hash: 81cad0378b4b496da31352ba1c8271f67349279067c8a795d12309c6c750bb3f
Instruction Fuzzy Hash: B2210971E10314ABDB209FA6EC95BAD7FB4FB48B51F08006AEA01A67B0D7F14541DF90

Function 00B93170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00B9316A,?,?), ref: 00B931D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00B9316A,?,?), ref: 00B93204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B93227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00B9316A,?,?), ref: 00B93232
CreatePopupMenu.USER32 ref: 00B93246
PostQuitMessage.USER32(00000000), ref: 00B93267

Strings

TaskbarCreated, xrefs: 00B9322D

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 6175b51aca773d1a7c3ec78e6fef1cbbd3c658f9d6d3ecdf1a92b22a188db420
Instruction ID: fa3c2193aa01566f8248e2d5c46eed42937acb0fbc25a9b902ee43aa649ec4fd
Opcode Fuzzy Hash: 6175b51aca773d1a7c3ec78e6fef1cbbd3c658f9d6d3ecdf1a92b22a188db420
Instruction Fuzzy Hash: B6414431214204ABDF342B789D8DB7D3ADAEB05B41F0C41B6F912D62B1DBB18A41E7A1

Function 00B91410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B91459
CoUninitialize.COMBASE ref: 00B914F8
UnregisterHotKey.USER32(?), ref: 00B916DD
DestroyWindow.USER32(?), ref: 00BD24B9
FreeLibrary.KERNEL32(?), ref: 00BD251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BD254B

Strings

close all, xrefs: 00B91454

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 0777847e4b3ec480e0482f625271dfaf5008b0e5010361c3373fa4658bec24e1
Instruction ID: 12219f283077142913c02f17742734975bcfd854f88be45e59e0e6d08ac32865
Opcode Fuzzy Hash: 0777847e4b3ec480e0482f625271dfaf5008b0e5010361c3373fa4658bec24e1
Instruction Fuzzy Hash: 24D169316012128FCB29EF58D895A29F7E4BF25700F1546EEE44A6B361DB30EC12DF50

Function 00B92C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B92C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B92CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B91CAD,?), ref: 00B92CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B91CAD,?), ref: 00B92CCF

Strings

AutoIt v3, xrefs: 00B92C89, 00B92C8E, 00B92C8F
edit, xrefs: 00B92CAC

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: c94a84a39daa5b4d2ae992adf8ee228ee4bd3630da02826f7b9b775fde629f2b
Instruction ID: a614b59b80c66477c85ff385bd38c4ac132c2df10aea1caa8bfde86f4cd2a4bf
Opcode Fuzzy Hash: c94a84a39daa5b4d2ae992adf8ee228ee4bd3630da02826f7b9b775fde629f2b
Instruction Fuzzy Hash: 5CF0DA755502907AEB711B17AC48F7F2EBDD7CAF51B08006AFD01A26B0C6B15851EAB1

Function 00B93B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00B93B0F,SwapMouseButtons,00000004,?), ref: 00B93B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00B93B0F,SwapMouseButtons,00000004,?), ref: 00B93B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00B93B0F,SwapMouseButtons,00000004,?), ref: 00B93B83

Strings

Control Panel\Mouse, xrefs: 00B93B3E

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8d8053a21714bad78be2ba1bb849f0323125015a1e226bc260b3c026601fd1d9
Instruction ID: 1e41cbde5e926b938d9a843260759a0ba463db13e66b0f8965a59dbd66c01ae6
Opcode Fuzzy Hash: 8d8053a21714bad78be2ba1bb849f0323125015a1e226bc260b3c026601fd1d9
Instruction Fuzzy Hash: 92112AB5520208FFDF208FA5DC84EAEB7F8EF04B44B1044A9A805D7210D2719E4197A0

Function 00B93923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00BD33A2

Part of subcall function 00B96B57: _wcslen.LIBCMT ref: 00B96B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B93A04

Strings

Line: , xrefs: 00BD33EB

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 7db25eb694cc4c9065b482718de26f8447b6d71afbe2a737532480180762d44c
Instruction ID: a71346f76c7f81c1207ed4f4a792a8ea25d4377ed288db4457993795de508bd2
Opcode Fuzzy Hash: 7db25eb694cc4c9065b482718de26f8447b6d71afbe2a737532480180762d44c
Instruction Fuzzy Hash: 3C31B671408304AFCB25EB14DC45BEFB7D8AB44B50F0845BEF99A931A1EBB09649C7C6

Function 00BAFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00BB0668

Part of subcall function 00BB32A4: RaiseException.KERNEL32(?,?,?,00BB068A,?,00C61444,?,?,?,?,?,?,00BB068A,00B91129,00C58738,00B91129), ref: 00BB3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00BB0685

Strings

Unknown exception, xrefs: 00BB0692

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 7587af0c8a6fee29ad1a36c3469e106d9b4ae5117bc6018f988da212bbe62cb5
Instruction ID: 58be5308451fe24ece9b95d0733573b5f8a4997e663c088240a1de4d4ec77182
Opcode Fuzzy Hash: 7587af0c8a6fee29ad1a36c3469e106d9b4ae5117bc6018f988da212bbe62cb5
Instruction Fuzzy Hash: CCF0C23490020DB78F14BAA4D886CFF77EC9E00750B6041F1B924969A2EFF1EA69C690

Function 00B910F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B91BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B91BF4
Part of subcall function 00B91BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B91BFC
Part of subcall function 00B91BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B91C07
Part of subcall function 00B91BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B91C12
Part of subcall function 00B91BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B91C1A
Part of subcall function 00B91BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B91C22

Part of subcall function 00B91B4A: RegisterWindowMessageW.USER32(00000004,?,00B912C4), ref: 00B91BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B9136A
OleInitialize.OLE32 ref: 00B91388
CloseHandle.KERNEL32(00000000,00000000), ref: 00BD24AB

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 72bcb1cd8329f4e788d9e997e2920c6140048bf79f5fb436e7ad7cb6ab866a8c
Instruction ID: 0850baa7d9b1f14abb92f30b4c66e9adefc8559e21b8dc60d0f821286d504639
Opcode Fuzzy Hash: 72bcb1cd8329f4e788d9e997e2920c6140048bf79f5fb436e7ad7cb6ab866a8c
Instruction Fuzzy Hash: BD71CDB49152418ECBA4EF7BA88576DBAE0FB8834631D856ADC0BC72A1EBB04441DF45

Function 00BFC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B93923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B93A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BFC259
KillTimer.USER32(?,00000001,?,?), ref: 00BFC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BFC270

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: abe41536383987eabb32954beef8470590ad25d4726cce3c4b65ced347790b1a
Instruction ID: 32dc40e8d63685981d053c1d03c5c1cf278974584a40e1c046f662cba373c2c3
Opcode Fuzzy Hash: abe41536383987eabb32954beef8470590ad25d4726cce3c4b65ced347790b1a
Instruction Fuzzy Hash: 6231B170904348AFEB329F648995BEBBFECEF06704F0404DAD69AA3241C7745AC9CB51

Function 00BC86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00BC85CC,?,00C58CC8,0000000C), ref: 00BC8704
GetLastError.KERNEL32(?,00BC85CC,?,00C58CC8,0000000C), ref: 00BC870E
__dosmaperr.LIBCMT ref: 00BC8739

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 9ef077339b5e90f15c19f9aaaacda62c7edd029f89e3290073d3f4d429242fde
Instruction ID: 23534c35393a77f8f0b11c2064b7c7f65937671dc90ce414315742b91966a29d
Opcode Fuzzy Hash: 9ef077339b5e90f15c19f9aaaacda62c7edd029f89e3290073d3f4d429242fde
Instruction Fuzzy Hash: F1012B3260566027D63463346885F7F67C98BC1778F3902EEF8599B1D2DEA0ACC28194

Function 00B9DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00B9DB7B
DispatchMessageW.USER32(?), ref: 00B9DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B9DB9F
Sleep.KERNELBASE(0000000A), ref: 00B9DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00BE1CC9

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 69349fda715042674cee59f30127dee59cd6f1c62f41ae592caaf33ee9bcf673
Instruction ID: f07e0217c309060773bb1bed0fb88c62c634252a081fa919474d38f3b3032bdd
Opcode Fuzzy Hash: 69349fda715042674cee59f30127dee59cd6f1c62f41ae592caaf33ee9bcf673
Instruction Fuzzy Hash: 38F05E306143809BEB30CB61CCC9FAE73E8EB49711F244A69E65AC70C0DB749489DB25

Function 00BA1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00BA17F6

Strings

CALL, xrefs: 00BA17C6

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: b9b7d179ce35985a23695100acf69f85311b8f8cc382b3fe459c405d71247f80
Instruction ID: 21f4aee7281d2f8b278a0d5b3a63ba43b572e124189e58b590545487c6d2795d
Opcode Fuzzy Hash: b9b7d179ce35985a23695100acf69f85311b8f8cc382b3fe459c405d71247f80
Instruction Fuzzy Hash: 11229A706082419FC754DF29C490B2ABBF1FF9A354F2489ADF4968B3A1D731E845CB92

Function 00B92DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00BD2C8C

Part of subcall function 00B93AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B93A97,?,?,00B92E7F,?,?,?,00000000), ref: 00B93AC2

Part of subcall function 00B92DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B92DC4

Strings

X, xrefs: 00BD2C5A

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 848e2ffbe592dd2f699b98c2cba03a3d1a0da8bf7c4c7590fc722925c0adc621
Instruction ID: adc5c50fd6277e240a702d8966cffbd0c55eb111692679d291ff8ee2498ab011
Opcode Fuzzy Hash: 848e2ffbe592dd2f699b98c2cba03a3d1a0da8bf7c4c7590fc722925c0adc621
Instruction Fuzzy Hash: 0321C671A10258AFDF01DF94C845BEE7BF8DF48305F4040AAE405A7341EBB459898B61

Function 00B93837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B93908

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: ed9ce79382d2fad8c1eac17d8e6ccfa04033458f871868972745f9bee75f4b09
Instruction ID: 2b9aeb459d0586cc3b0822f6e843de3ed3dd9dc98aae073a74382ba356e71815
Opcode Fuzzy Hash: ed9ce79382d2fad8c1eac17d8e6ccfa04033458f871868972745f9bee75f4b09
Instruction Fuzzy Hash: BC3193705043019FD720DF25D8847ABBBE4FB49719F04097EFA9A87350E7B1AA44CB92

Function 00BAF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00BAF661

Part of subcall function 00B9D730: GetInputState.USER32 ref: 00B9D807

Sleep.KERNEL32(00000000), ref: 00BEF2DE

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 2b800dd58c02973e070d2f3b14ea1827b95eef877336d7b84bf57e7e0b0b6ee2
Instruction ID: 76bbec92053fb38f968b7b33a9559f13e2420d6507c9570b4fb5f645e5c46a4d
Opcode Fuzzy Hash: 2b800dd58c02973e070d2f3b14ea1827b95eef877336d7b84bf57e7e0b0b6ee2
Instruction Fuzzy Hash: 0AF08C312506059FD310EFA9E599F6EB7E8EF55760F0000B9E859C7260DB70A800CB91

Function 00B9B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B9BB4E

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 928d1891da68eaa3b7ecb6bf902f6c4a991c774a75739ab1c1d7f32a207ed3bb
Instruction ID: 2886a5b8a5aa5e2536dda316a43ed533a2a2553bd77541658a4f924716c84937
Opcode Fuzzy Hash: 928d1891da68eaa3b7ecb6bf902f6c4a991c774a75739ab1c1d7f32a207ed3bb
Instruction Fuzzy Hash: A3328B70A002499FDF24DF55D994FBEB7F9EB48300F1480A9E915AB261C7B8ED81CB91

Function 00B94ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B94E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B94EDD,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94E9C
Part of subcall function 00B94E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B94EAE
Part of subcall function 00B94E90: FreeLibrary.KERNEL32(00000000,?,?,00B94EDD,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94EFD

Part of subcall function 00B94E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BD3CDE,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94E62
Part of subcall function 00B94E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B94E74
Part of subcall function 00B94E59: FreeLibrary.KERNEL32(00000000,?,?,00BD3CDE,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94E87

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 0ecaccadb8eea59935b1c9bbc2abbc3e7ce235138380f492f1feb03fbff5c2ab
Instruction ID: fb4845687d058b1dd3b884449c880c6074a8ab81f95c74cab4355526d36e1040
Opcode Fuzzy Hash: 0ecaccadb8eea59935b1c9bbc2abbc3e7ce235138380f492f1feb03fbff5c2ab
Instruction Fuzzy Hash: 7711C132610206ABCF24AB60DC42FED77E5AF50B50F20847AF546A61D2EF709A069750

Function 00BC8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00BC8440

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 62ac1ce606520b9897f63cbc471caf214bf617fafac37270619ae1915fe49a30
Instruction ID: bc0c369fdc204c6dd403e65672ce667878983841455971192500af5440a475e1
Opcode Fuzzy Hash: 62ac1ce606520b9897f63cbc471caf214bf617fafac37270619ae1915fe49a30
Instruction Fuzzy Hash: 6111187590410AAFCB19DF58E941E9E7BF5EF48314F1540A9F808AB312DA31DA11CBA5

Function 00BC5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BC4C7D: RtlAllocateHeap.NTDLL(00000008,00B91129,00000000,?,00BC2E29,00000001,00000364,?,?,?,00BBF2DE,00BC3863,00C61444,?,00BAFDF5,?), ref: 00BC4CBE

_free.LIBCMT ref: 00BC506C

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: dab04ea5372d2f12ebb7db0cb6ae94bb4d2be8ee5356cf5944f5452b75a0996a
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 450126722047046BE3318F659881F5AFBE8FB89370F65056DE58483280EB70A945C6B4

Function 00BBE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: a87889b1333a172c64af22d7d0d1ba42006bb2a93e46d06675a82d8705fcbe1f
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: DBF0F432510A149BC6313A699C05FFA37D89F52335F1007E9F872922E2DBF4D80186A6

Function 00BC4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00B91129,00000000,?,00BC2E29,00000001,00000364,?,?,?,00BBF2DE,00BC3863,00C61444,?,00BAFDF5,?), ref: 00BC4CBE

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ef3db1b15c26809cad68453e8e0bbb267f3e3a9518362d13153f57dc604cbb82
Instruction ID: 91022c3c18cd6ed0b068c9786137b8fcc6ae1d00a06eb22056497249138d70d5
Opcode Fuzzy Hash: ef3db1b15c26809cad68453e8e0bbb267f3e3a9518362d13153f57dc604cbb82
Instruction Fuzzy Hash: 4DF0E93160222467DB215F629C15FAF37C8FF417B1B1841A9FC19E72B1CBB0DA1586E0

Function 00BC3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00C61444,?,00BAFDF5,?,?,00B9A976,00000010,00C61440,00B913FC,?,00B913C6,?,00B91129), ref: 00BC3852

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ea6e38b10ace09e686b49e083c85ba3a8a6c75c65241c6bd0ca6b87dd3bd7ace
Instruction ID: 0801c4620658e70fa69fc391e2fecd242290bbae66a705c4816939eb485fad12
Opcode Fuzzy Hash: ea6e38b10ace09e686b49e083c85ba3a8a6c75c65241c6bd0ca6b87dd3bd7ace
Instruction Fuzzy Hash: 0BE0E53110422497E6312A679C01FEE36D8EB42FB0F8980A8BC0592591DB50DD0187E0

Function 00B94F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94F6D

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 24bf1deeda424aabdcc762b49696f3396460359a725580871e817f47272b42fe
Instruction ID: 0ad88da37b84220441ff94c2f4d3a5530f016fff13b59b159dddac0a17a94f78
Opcode Fuzzy Hash: 24bf1deeda424aabdcc762b49696f3396460359a725580871e817f47272b42fe
Instruction Fuzzy Hash: 8EF01571105752CFDB349F64D494E66BBE4EF143293208ABEE1EE82A21C7319845DB10

Function 00C22A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00C22A66

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 463dece8be5ffef5209a9f88d72b743ec46daf0b0800923b2408869a5bfcb2bf
Instruction ID: 5b94aaed38ed234b4751e48ca4cf78dcded7a186bef98903a9d5d98c9badba84
Opcode Fuzzy Hash: 463dece8be5ffef5209a9f88d72b743ec46daf0b0800923b2408869a5bfcb2bf
Instruction Fuzzy Hash: 8DE04F3635012ABAC714EA31EC809FEB79CEB543957104536BD26D2950DB309A95A6A0

Function 00B930F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B9314E

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 88e7f8f8ba63656ae86426155c7ecb5f1371d1fa8ebc631711db68449f782f15
Instruction ID: 98592f9f6696153d1ae9e51002e290f30b7f4198d0c73a72e6892a39104d0007
Opcode Fuzzy Hash: 88e7f8f8ba63656ae86426155c7ecb5f1371d1fa8ebc631711db68449f782f15
Instruction Fuzzy Hash: 3FF037709143149FEB629B24DC457DE7BFCA701708F0801F5E54996291D7B45788CF95

Function 00B92DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B92DC4

Part of subcall function 00B96B57: _wcslen.LIBCMT ref: 00B96B6A

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 4c76df083db46c182ab53da00ec2638f768d51913c7cedc94e1f27ca96e0dd46
Instruction ID: fc9f65002b34a34781e59c670f4d4dfff30e63bab5653533b8384737bfde4e36
Opcode Fuzzy Hash: 4c76df083db46c182ab53da00ec2638f768d51913c7cedc94e1f27ca96e0dd46
Instruction Fuzzy Hash: E0E0CD726001245BCB209398DC06FDE77DDDFC8790F0400B1FD09D7248ED60AD848550

Function 00B92B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B93837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B93908

Part of subcall function 00B9D730: GetInputState.USER32 ref: 00B9D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00B92B6B

Part of subcall function 00B930F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B9314E

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: bffa339418450b05829cae160fc2197715105205734f6732d30bbebadd0d3659
Instruction ID: 73a5d43df5041f8c1eabeb11ab2058c8e351a21c65530cbfe2649be16e14a5d6
Opcode Fuzzy Hash: bffa339418450b05829cae160fc2197715105205734f6732d30bbebadd0d3659
Instruction Fuzzy Hash: 39E07D2130024407CE18BB769892BBDB3C9CFD1752F4408BEF24283163CF2449454312

Function 00BD039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00BD0704,?,?,00000000,?,00BD0704,00000000,0000000C), ref: 00BD03B7

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1761f685fff58728a9f71e3047d0e3c96c00819b2660352f3974b9501eb4ff11
Instruction ID: 71dcacaca1f501af6b107802e3a97b2b874febf55c957a874647f5a2a7e16507
Opcode Fuzzy Hash: 1761f685fff58728a9f71e3047d0e3c96c00819b2660352f3974b9501eb4ff11
Instruction Fuzzy Hash: A2D06C3205010DBBDF128F84DD46EDE3BAAFB48714F014000BE1856020C732E832AB90

Function 00B91CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00B91CBC

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 4b5445fb94680359c477b1cf2ad422650efd1b807f6bd2ca1015c2131d6323f9
Instruction ID: 39cccf6fe48e124b151c69863f8da36f6db28876fdb06f4fe925850ea07dc9d4
Opcode Fuzzy Hash: 4b5445fb94680359c477b1cf2ad422650efd1b807f6bd2ca1015c2131d6323f9
Instruction Fuzzy Hash: C3C09B352803049FF2344B81BC4AF1C7754A758B01F084011F60A555F3C3E15410F650

Non-executed Functions

Function 00C29576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C2961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C2965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00C2969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C296C9
SendMessageW.USER32 ref: 00C296F2
GetKeyState.USER32(00000011), ref: 00C2978B
GetKeyState.USER32(00000009), ref: 00C29798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C297AE
GetKeyState.USER32(00000010), ref: 00C297B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C297E9
SendMessageW.USER32 ref: 00C29810
SendMessageW.USER32(?,00001030,?,00C27E95), ref: 00C29918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C2992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C29941
SetCapture.USER32(?), ref: 00C2994A
ClientToScreen.USER32(?,?), ref: 00C299AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C299BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C299D6
ReleaseCapture.USER32 ref: 00C299E1
GetCursorPos.USER32(?), ref: 00C29A19
ScreenToClient.USER32(?,?), ref: 00C29A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C29A80
SendMessageW.USER32 ref: 00C29AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C29AEB
SendMessageW.USER32 ref: 00C29B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C29B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C29B4A
GetCursorPos.USER32(?), ref: 00C29B68
ScreenToClient.USER32(?,?), ref: 00C29B75
GetParent.USER32(?), ref: 00C29B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C29BFA
SendMessageW.USER32 ref: 00C29C2B
ClientToScreen.USER32(?,?), ref: 00C29C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C29CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C29CDE
SendMessageW.USER32 ref: 00C29D01
ClientToScreen.USER32(?,?), ref: 00C29D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C29D82

Part of subcall function 00BA9944: GetWindowLongW.USER32(?,000000EB), ref: 00BA9952

GetWindowLongW.USER32(?,000000F0), ref: 00C29E05

Strings

@GUI_DRAGID, xrefs: 00C2997D
F, xrefs: 00C29D07

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: ce0f073948572e4a220409bd5d57c245dced97b37091ffdb8aed9ce4d9f52424
Instruction ID: a2bbf98fff7eeb40372baa5b466e2272591a5351f2be18a2cbc1c070c338d6cd
Opcode Fuzzy Hash: ce0f073948572e4a220409bd5d57c245dced97b37091ffdb8aed9ce4d9f52424
Instruction Fuzzy Hash: 5042AC34204610AFDB20CF28DC84BAABBF5FF49720F140619FAA987AA1D771E951DF51

Function 00C24873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00C248F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00C24908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00C24927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00C2494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00C2495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00C2497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00C249AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00C249D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00C24A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00C24A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00C24A7E
IsMenu.USER32(?), ref: 00C24A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C24AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C24B20
GetWindowLongW.USER32(?,000000F0), ref: 00C24B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00C24BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00C24C82
wsprintfW.USER32 ref: 00C24CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C24CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00C24CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C24D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C24D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00C24D5A

Strings

%d/%02d/%02d, xrefs: 00C24CA8

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: a93749a804fcfcc4913cdd4df8dc0c5be3dabe7b088eef26dc5449d0e1da97cb
Instruction ID: cda022ac2d2a6a9affcf9be5b9e965ab091809d1b6430da6f0a0c908adc2b657
Opcode Fuzzy Hash: a93749a804fcfcc4913cdd4df8dc0c5be3dabe7b088eef26dc5449d0e1da97cb
Instruction Fuzzy Hash: D5121431500224ABEB288F69EC49FBE7BF8EF85710F104169F525DB6E1DB749A41CB50

Function 00BAF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00BAF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BEF474
IsIconic.USER32(00000000), ref: 00BEF47D
ShowWindow.USER32(00000000,00000009), ref: 00BEF48A
SetForegroundWindow.USER32(00000000), ref: 00BEF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BEF4AA
GetCurrentThreadId.KERNEL32 ref: 00BEF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BEF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00BEF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00BEF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00BEF4DE
SetForegroundWindow.USER32(00000000), ref: 00BEF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BEF4F6
keybd_event.USER32(00000012,00000000), ref: 00BEF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BEF50B
keybd_event.USER32(00000012,00000000), ref: 00BEF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BEF519
keybd_event.USER32(00000012,00000000), ref: 00BEF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BEF528
keybd_event.USER32(00000012,00000000), ref: 00BEF52D
SetForegroundWindow.USER32(00000000), ref: 00BEF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00BEF557

Strings

Shell_TrayWnd, xrefs: 00BEF46F

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 0499ff6d06abc8d376f71f78588f8be236805485201b9fa3e91fee39e66badbb
Instruction ID: 8c690935c20cfa6acfd83b6563c20d2fbef968d726c27f4fda4da45fdcaeeb25
Opcode Fuzzy Hash: 0499ff6d06abc8d376f71f78588f8be236805485201b9fa3e91fee39e66badbb
Instruction Fuzzy Hash: F7316A71A50219BFEB316BB65C8AFBF7EBCEB44B50F100065F601E61D1C7B19D11AAA0

Function 00BF1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00BF16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BF170D
Part of subcall function 00BF16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BF173A
Part of subcall function 00BF16C3: GetLastError.KERNEL32 ref: 00BF174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00BF1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00BF12A8
CloseHandle.KERNEL32(?), ref: 00BF12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00BF12D1
GetProcessWindowStation.USER32 ref: 00BF12EA
SetProcessWindowStation.USER32(00000000), ref: 00BF12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00BF1310

Part of subcall function 00BF10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BF11FC), ref: 00BF10D4
Part of subcall function 00BF10BF: CloseHandle.KERNEL32(?,?,00BF11FC), ref: 00BF10E9

Strings

winsta0, xrefs: 00BF12CC
default, xrefs: 00BF130B
, xrefs: 00BF125A

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: b3020af3d11f0d75dc4198303254b99416387b82ddf884d7ff282955e051e2b1
Instruction ID: c4c7374b7b379d340d96e76c6ee99448ab014b7ac2b97663e1cec6ce25f617ee
Opcode Fuzzy Hash: b3020af3d11f0d75dc4198303254b99416387b82ddf884d7ff282955e051e2b1
Instruction Fuzzy Hash: 26817D71900209EBDF249FA8DC49BFE7BB9EF44700F1449A9FA11B62A0C7708949CF60

Function 00BF0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BF1114
Part of subcall function 00BF10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00BF0B9B,?,?,?), ref: 00BF1120
Part of subcall function 00BF10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BF0B9B,?,?,?), ref: 00BF112F
Part of subcall function 00BF10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BF0B9B,?,?,?), ref: 00BF1136
Part of subcall function 00BF10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BF114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BF0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BF0C00
GetLengthSid.ADVAPI32(?), ref: 00BF0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00BF0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BF0C6D
GetLengthSid.ADVAPI32(?), ref: 00BF0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00BF0C8C
HeapAlloc.KERNEL32(00000000), ref: 00BF0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BF0CB4
CopySid.ADVAPI32(00000000), ref: 00BF0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BF0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BF0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BF0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BF0D45
HeapFree.KERNEL32(00000000), ref: 00BF0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BF0D55
HeapFree.KERNEL32(00000000), ref: 00BF0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BF0D65
HeapFree.KERNEL32(00000000), ref: 00BF0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00BF0D78
HeapFree.KERNEL32(00000000), ref: 00BF0D7F

Part of subcall function 00BF1193: GetProcessHeap.KERNEL32(00000008,00BF0BB1,?,00000000,?,00BF0BB1,?), ref: 00BF11A1
Part of subcall function 00BF1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00BF0BB1,?), ref: 00BF11A8
Part of subcall function 00BF1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00BF0BB1,?), ref: 00BF11B7

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 553a0ca27b2e07b0628d2bf9828b8954ed579bf5a8a015708dad84dc67c5ae92
Instruction ID: bfc62ab72f4ff5e3e55da8e52fe0ab1b86263e564432429d56f319613d40a377
Opcode Fuzzy Hash: 553a0ca27b2e07b0628d2bf9828b8954ed579bf5a8a015708dad84dc67c5ae92
Instruction Fuzzy Hash: 86715D7591020AABDF10AFA4DC85FBEBBB9FF04300F1445A5EA14A71A1D771A919CB60

Function 00C0EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00C2CC08), ref: 00C0EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00C0EB37
GetClipboardData.USER32(0000000D), ref: 00C0EB43
CloseClipboard.USER32 ref: 00C0EB4F
GlobalLock.KERNEL32(00000000), ref: 00C0EB87
CloseClipboard.USER32 ref: 00C0EB91
GlobalUnlock.KERNEL32(00000000), ref: 00C0EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00C0EBC9
GetClipboardData.USER32(00000001), ref: 00C0EBD1
GlobalLock.KERNEL32(00000000), ref: 00C0EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00C0EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00C0EC38
GetClipboardData.USER32(0000000F), ref: 00C0EC44
GlobalLock.KERNEL32(00000000), ref: 00C0EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00C0EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C0EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C0ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00C0ECF3
CountClipboardFormats.USER32 ref: 00C0ED14
CloseClipboard.USER32 ref: 00C0ED59

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: b88166a18b9f20032bc2c9c03a5c2125456a551ed23bb9efaddc5b8cde343fde
Instruction ID: 616634b8e39a6394be185011b64bcc8d7f73dadae5f42e6d98817cdb417da30a
Opcode Fuzzy Hash: b88166a18b9f20032bc2c9c03a5c2125456a551ed23bb9efaddc5b8cde343fde
Instruction Fuzzy Hash: 5D619A35244201AFD710EF24D895F2E77E4EF84704F18496DF866972E2CB31EA06CBA2

Function 00C0698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C069BE
FindClose.KERNEL32(00000000), ref: 00C06A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C06A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C06A75

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00C06AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C06ADF

Strings

%4d, xrefs: 00C06BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00C06B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00C06B32
%02d, xrefs: 00C06C00, 00C06C0A, 00C06C5A, 00C06CAA, 00C06CFA, 00C06D4A
%03d, xrefs: 00C06DA2

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: db60edd891b6d5cdd0260f8db215d54de2e7980805c90b6e9a78c210e2985411
Instruction ID: aa469b0f23107704166c84acc99deafd07fc15ffe899295820d48822632bc878
Opcode Fuzzy Hash: db60edd891b6d5cdd0260f8db215d54de2e7980805c90b6e9a78c210e2985411
Instruction Fuzzy Hash: 02D14D72508300AFC710EBA4C891EAFB7ECAF98704F44496DF599D7191EB74DA48CB62

Function 00C09642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00C09663
GetFileAttributesW.KERNEL32(?), ref: 00C096A1
SetFileAttributesW.KERNEL32(?,?), ref: 00C096BB
FindNextFileW.KERNEL32(00000000,?), ref: 00C096D3
FindClose.KERNEL32(00000000), ref: 00C096DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00C096FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00C0974A
SetCurrentDirectoryW.KERNEL32(00C56B7C), ref: 00C09768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C09772
FindClose.KERNEL32(00000000), ref: 00C0977F
FindClose.KERNEL32(00000000), ref: 00C0978F

Strings

*.*, xrefs: 00C096F5

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 085885c7b5be60134cc2a4b38363bc454bf1090c29ea254493498e9cfad9459f
Instruction ID: 984962cab3eb47a0a5215923598dda45e56cd0e1b7fb8a1cdd0a7de30c1dfdc3
Opcode Fuzzy Hash: 085885c7b5be60134cc2a4b38363bc454bf1090c29ea254493498e9cfad9459f
Instruction Fuzzy Hash: 5A31C232541619AFDB24EFB8DC49BEE77ACDF09321F1041A5F825E20E1DB70DA85CA54

Function 00C0979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00C097BE
FindNextFileW.KERNEL32(00000000,?), ref: 00C09819
FindClose.KERNEL32(00000000), ref: 00C09824
FindFirstFileW.KERNEL32(*.*,?), ref: 00C09840
SetCurrentDirectoryW.KERNEL32(?), ref: 00C09890
SetCurrentDirectoryW.KERNEL32(00C56B7C), ref: 00C098AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C098B8
FindClose.KERNEL32(00000000), ref: 00C098C5
FindClose.KERNEL32(00000000), ref: 00C098D5

Part of subcall function 00BFDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00BFDB00

Strings

*.*, xrefs: 00C0983B

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 5b11f8512b74769858e120c0cb2a82583f6a24f550b49e995e714fe1e3909008
Instruction ID: adcb3069a1bac4c792576ec0e442d5d9c07c01e71770f74cb09e3dbf24f52575
Opcode Fuzzy Hash: 5b11f8512b74769858e120c0cb2a82583f6a24f550b49e995e714fe1e3909008
Instruction Fuzzy Hash: 5831B6315016196FDF20EFB4EC48BDE77ACDF06320F148265E924A31E1DB70DA85CA64

Function 00C1BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C1C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C1B6AE,?,?), ref: 00C1C9B5
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1C9F1
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1CA68
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C1BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00C1BFA9
RegCloseKey.ADVAPI32(00000000), ref: 00C1BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C1C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00C1C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00C1C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00C1C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00C1C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00C1C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C1C382
RegCloseKey.ADVAPI32(00000000), ref: 00C1C38F

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: b6d3fcdb9db115602f6d2f3392aa47f935de4f9592c09e3de6b16a2f1a65f7c2
Instruction ID: 730b3e15affc05a1c0aeba618e2e5876cf19429d3277df0a586de4f2416f0f59
Opcode Fuzzy Hash: b6d3fcdb9db115602f6d2f3392aa47f935de4f9592c09e3de6b16a2f1a65f7c2
Instruction Fuzzy Hash: 4B024C71604200AFC714DF28C8D5E6ABBE5EF49304F5884ADF85ACB2A2DB31ED46DB51

Function 00C08195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C08257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C08267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C08273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C08310
SetCurrentDirectoryW.KERNEL32(?), ref: 00C08324
SetCurrentDirectoryW.KERNEL32(?), ref: 00C08356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C0838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00C08395

Strings

*.*, xrefs: 00C0839B

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 6ac2dc67fdcfee550c0258ecf0f2ac697c788f081b52d3d408ce149e76653d55
Instruction ID: d2dc37525aac33600aef0e7dec72a65abffd4877ff66058d2ed7279101e34e36
Opcode Fuzzy Hash: 6ac2dc67fdcfee550c0258ecf0f2ac697c788f081b52d3d408ce149e76653d55
Instruction Fuzzy Hash: 8F6171725143059FCB10EF64D840AAEB3E8FF89314F04896DF999D7261DB31E949CB92

Function 00BFD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B93AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B93A97,?,?,00B92E7F,?,?,?,00000000), ref: 00B93AC2

Part of subcall function 00BFE199: GetFileAttributesW.KERNEL32(?,00BFCF95), ref: 00BFE19A

FindFirstFileW.KERNEL32(?,?), ref: 00BFD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00BFD1DD
MoveFileW.KERNEL32(?,?), ref: 00BFD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00BFD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BFD237

Part of subcall function 00BFD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00BFD21C,?,?), ref: 00BFD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00BFD253
FindClose.KERNEL32(00000000), ref: 00BFD264

Strings

\*.*, xrefs: 00BFD0CD, 00BFD0D6, 00BFD0EB

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 4e50399e71cf97843cc86abc0c9db4cff4b8cd5ffa2178f97e4437e310e6ccb4
Instruction ID: 0dd3b760b042304863bc6479fc00704c42beda7df89e1e16d4e11c2a8eae386a
Opcode Fuzzy Hash: 4e50399e71cf97843cc86abc0c9db4cff4b8cd5ffa2178f97e4437e310e6ccb4
Instruction Fuzzy Hash: 28615C3180510DAACF15EBA4CA92AFDB7F6AF15300F2441A9E50177191EF31AF0DCBA1

Function 00C0ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C0ED91
EmptyClipboard.USER32 ref: 00C0ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00C0EDAC
CloseClipboard.USER32 ref: 00C0EEA3

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 1369c36ab8759347f52a32e3fde8c67278dfeab7cced4a3ec219c354b9c6d990
Instruction ID: 389100605fe16bd63828b0a50f27628adf4fe1e4bde464122bc107ed74676775
Opcode Fuzzy Hash: 1369c36ab8759347f52a32e3fde8c67278dfeab7cced4a3ec219c354b9c6d990
Instruction Fuzzy Hash: C9418D35204611AFE720DF15D888F19BBE5EF44318F19C499E42A8BBA2C775FD42CB90

Function 00BFE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BF170D
Part of subcall function 00BF16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BF173A
Part of subcall function 00BF16C3: GetLastError.KERNEL32 ref: 00BF174A

ExitWindowsEx.USER32(?,00000000), ref: 00BFE932

Strings

, xrefs: 00BFE920
, xrefs: 00BFE95C
SeShutdownPrivilege, xrefs: 00BFE902
@, xrefs: 00BFE925

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 26aa7bd486f67cafb3f13754e6270283560227ef08c437eb703972b80ac1dcd8
Instruction ID: 0682efd52124ac2243a577cabc538cc58f93c09a2b2c8773374aa272b23f3589
Opcode Fuzzy Hash: 26aa7bd486f67cafb3f13754e6270283560227ef08c437eb703972b80ac1dcd8
Instruction Fuzzy Hash: 5D01F732620218ABEB2426749CC9FBE72DCDB04741F148961FA22E30E1DAF09C4881A0

Function 00C11204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C11276
WSAGetLastError.WSOCK32 ref: 00C11283
bind.WSOCK32(00000000,?,00000010), ref: 00C112BA
WSAGetLastError.WSOCK32 ref: 00C112C5
closesocket.WSOCK32(00000000), ref: 00C112F4
listen.WSOCK32(00000000,00000005), ref: 00C11303
WSAGetLastError.WSOCK32 ref: 00C1130D
closesocket.WSOCK32(00000000), ref: 00C1133C

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 756d67ced2f02f8380e9ccaa8ecbafa499cb84e2fc43e8629899dedbeb5c11fd
Instruction ID: 94550823ef9e0fe1470f45745aab05e7d5718c9a48141186671a1ecc97f1bd77
Opcode Fuzzy Hash: 756d67ced2f02f8380e9ccaa8ecbafa499cb84e2fc43e8629899dedbeb5c11fd
Instruction Fuzzy Hash: 394190316001409FD720DF24C488B69BBE5AF46318F188198E9669F2E6C775ED82DBE1

Function 00BCB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BCB9D4
_free.LIBCMT ref: 00BCB9F8
_free.LIBCMT ref: 00BCBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C33700), ref: 00BCBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00C6121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00BCBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00C61270,000000FF,?,0000003F,00000000,?), ref: 00BCBC36
_free.LIBCMT ref: 00BCBD4B

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: b5244a4993b38cd1b8baa654c476fda7baf6ab1e5ea8fa1aa7f4d2c0387967f0
Instruction ID: 35442755fae052814dc4883cabbda6580aef36b5ee2707e86eace6f2b2b81f7d
Opcode Fuzzy Hash: b5244a4993b38cd1b8baa654c476fda7baf6ab1e5ea8fa1aa7f4d2c0387967f0
Instruction Fuzzy Hash: 3AC10571A04245AFDB249F798C92FAEBBE8EF41310F1841EEE895D7251EB709E41CB50

Function 00BFD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B93AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B93A97,?,?,00B92E7F,?,?,?,00000000), ref: 00B93AC2

Part of subcall function 00BFE199: GetFileAttributesW.KERNEL32(?,00BFCF95), ref: 00BFE19A

FindFirstFileW.KERNEL32(?,?), ref: 00BFD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00BFD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BFD481
FindClose.KERNEL32(00000000), ref: 00BFD498
FindClose.KERNEL32(00000000), ref: 00BFD4A1

Strings

\*.*, xrefs: 00BFD3F2

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 830f0f7059e1845ceadad0197509865af933b357eba98e0127995dec25dd0f96
Instruction ID: 472e5f9151e16ca48e7bf89ab1c41c55529dc77e816cf90cd11135c42fe967b1
Opcode Fuzzy Hash: 830f0f7059e1845ceadad0197509865af933b357eba98e0127995dec25dd0f96
Instruction Fuzzy Hash: 1A3180310183459BC710EF64C8919BFB7E8BEA1304F444AADF5D593291EB30AA0DD763

Function 00BCE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00BCE645

Strings

1#SNAN, xrefs: 00BCF844
1#INF, xrefs: 00BCF852
1#IND, xrefs: 00BCF83D
1#QNAN, xrefs: 00BCF84B

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 09bac1721545be20f678d88f238bc3a63530826aba28d211f724444c57eb4cf4
Instruction ID: d0681db5146ac8547dc74d142b287242a99ac5bd744c935cf9ac8011dadd55bb
Opcode Fuzzy Hash: 09bac1721545be20f678d88f238bc3a63530826aba28d211f724444c57eb4cf4
Instruction Fuzzy Hash: 46C20972E046298FDB25CE289D80BEAB7F6EB48305F1541EED45DE7241E774AE818F40

Function 00C0648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C064DC
CoInitialize.OLE32(00000000), ref: 00C06639
CoCreateInstance.OLE32(00C2FCF8,00000000,00000001,00C2FB68,?), ref: 00C06650
CoUninitialize.OLE32 ref: 00C068D4

Strings

.lnk, xrefs: 00C064BA, 00C06524, 00C065E0

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 1c504a74add17151202c37fa9f6faad8fbdd99582e39f0ff8292aaa268ecad5f
Instruction ID: 939cbf5ff1ed2d2d929fb76e1769ca090b7e821db151f246c1164040b53c69ae
Opcode Fuzzy Hash: 1c504a74add17151202c37fa9f6faad8fbdd99582e39f0ff8292aaa268ecad5f
Instruction Fuzzy Hash: D8D13971508201AFC714EF24C881A6BB7E9FF98704F40496DF5958B291EB71EA49CBA2

Function 00C122DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00C122E8

Part of subcall function 00C0E4EC: GetWindowRect.USER32(?,?), ref: 00C0E504

GetDesktopWindow.USER32 ref: 00C12312
GetWindowRect.USER32(00000000), ref: 00C12319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00C12355
GetCursorPos.USER32(?), ref: 00C12381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C123DF

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 4eda3506575c14743b41502db8af8817aebeaa438a4ca84c88a4bb70a493f9ee
Instruction ID: b1958dee85f158e9e031cdecb8373adace1fa740a3a72825a60e4147359c8412
Opcode Fuzzy Hash: 4eda3506575c14743b41502db8af8817aebeaa438a4ca84c88a4bb70a493f9ee
Instruction Fuzzy Hash: 0631ED72104305ABC720DF54C848BAFBBADFF89310F400919F9A4A71A1DB34EA59CB92

Function 00C09B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00C09B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00C09C8B

Part of subcall function 00C03874: GetInputState.USER32 ref: 00C038CB
Part of subcall function 00C03874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C03966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00C09BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00C09C75

Strings

*.*, xrefs: 00C09B5D

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: af293a95d1d889df11f9894bc6bf60de3d0cfe7657bc993015ebf0722bf85226
Instruction ID: 2ccd8bed7a434947e6ee738f5b973806d49e0fd7d13cce048dd28048b707427f
Opcode Fuzzy Hash: af293a95d1d889df11f9894bc6bf60de3d0cfe7657bc993015ebf0722bf85226
Instruction Fuzzy Hash: A3413C7194420A9BDF14DF64C885BEEBBF8EF05310F2441A6E815A2192EB309F85CB61

Function 00BA997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00BA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00BA9A4E
GetSysColor.USER32(0000000F), ref: 00BA9B23
SetBkColor.GDI32(?,00000000), ref: 00BA9B36

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 850321ab2ec84d457c8cc1846b5d936dfe3e12f05b1423b0664428a3894ff857
Instruction ID: 8d7ea7782ee1acc94b64eaf2d89e27bc8d79b2b56ae76dbd8c99f47ecb5cc291
Opcode Fuzzy Hash: 850321ab2ec84d457c8cc1846b5d936dfe3e12f05b1423b0664428a3894ff857
Instruction Fuzzy Hash: 70A1E47024C494BEE728AA2EDCC8F7F26DDDB87340B19029AF502C6995CF259D01F271

Function 00C11806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C1304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C1307A
Part of subcall function 00C1304E: _wcslen.LIBCMT ref: 00C1309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C1185D
WSAGetLastError.WSOCK32 ref: 00C11884
bind.WSOCK32(00000000,?,00000010), ref: 00C118DB
WSAGetLastError.WSOCK32 ref: 00C118E6
closesocket.WSOCK32(00000000), ref: 00C11915

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: c2fa7fba53cb9c83b742d6251d70ee2cb9e7c22894bdccf232a7674035fe756f
Instruction ID: 1a6e4374add60b445a7c3f235fbf9c83743aae0ef25029ad26c01453d344fee7
Opcode Fuzzy Hash: c2fa7fba53cb9c83b742d6251d70ee2cb9e7c22894bdccf232a7674035fe756f
Instruction Fuzzy Hash: EC51B471A002109FEB10AF24C886F6A7BE5AB49718F49C09CF9195F3D3DB75AD418BA1

Function 00C21C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00C21CC0
IsWindowEnabled.USER32 ref: 00C21CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00C21CDB
IsIconic.USER32 ref: 00C21CE9
IsZoomed.USER32 ref: 00C21CF7

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: c0cc089a2e6878933e6eea20a7a0b648a2a07291f8eefeb1c550d87d3a7ad3c2
Instruction ID: db03a7f0187c00de79ce3da2ca9db5b5ce9fb186a56c5c7ca00b640f5cc13796
Opcode Fuzzy Hash: c0cc089a2e6878933e6eea20a7a0b648a2a07291f8eefeb1c550d87d3a7ad3c2
Instruction Fuzzy Hash: 6F21F7357406209FD7218F1AE884B2A7BE5EFA5314F1D8068EC4ACBB51CB71ED42CB90

Function 00B98060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00B9813C
VUUU, xrefs: 00BD5DF0
VUUU, xrefs: 00B983E8
VUUU, xrefs: 00B983FA
VUUU, xrefs: 00B9843C

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 0556d5be1289007cd565ab86b9896d0029c8f9b8a4b5470dbeafebae54a62cce
Instruction ID: f76965d78aae000ca86b286e3ce5ecbc3d92afbf1b58063518be361d8559884b
Opcode Fuzzy Hash: 0556d5be1289007cd565ab86b9896d0029c8f9b8a4b5470dbeafebae54a62cce
Instruction Fuzzy Hash: A9A23B71A0061ACBDF24CF58C9807AEB7F1FB55314F2485EAE815AB385EB749D81CB90

Function 00BFAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00BFAAAC
SetKeyboardState.USER32(00000080), ref: 00BFAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00BFAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00BFAB88

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 58592e2c9631815c78f24f3167ce3918f96bf0d1c8e75f11d716267727139ec1
Instruction ID: 30e252b5a52bd6c9d37eae69bb8d51357e4561e8d43d38601f9a3887e031ea03
Opcode Fuzzy Hash: 58592e2c9631815c78f24f3167ce3918f96bf0d1c8e75f11d716267727139ec1
Instruction Fuzzy Hash: 733105B0A4020CAEFB399A64CC45BFE7BE6EB44310F04429AF289575D2D374899DC762

Function 00C0CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00C0CE89
GetLastError.KERNEL32(?,00000000), ref: 00C0CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00C0CEFE

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 15a29352d2cb4393209bdfb8b7a24776b968da38a15221162662194ec61bcd31
Instruction ID: 69d273c985ebfb2db36d71b6d7944dd98d7ae2fbfc5c51f374b9f72c4284f0e8
Opcode Fuzzy Hash: 15a29352d2cb4393209bdfb8b7a24776b968da38a15221162662194ec61bcd31
Instruction Fuzzy Hash: 0021BD715007059BD730CFA5C988BAB77F8EB10314F20462EE666D2191E770EE05CB50

Function 00BF8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00BF82AA

Strings

(, xrefs: 00BF82F0
|, xrefs: 00BF82DA

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: e8b134a5d090dcc196e0cf9d4ed913a79b3b089cca78df37f2fe145555ab5b38
Instruction ID: 0304d9c5034344d930b40c86e9bd67401e7c29dab2c4c215e0d9f09bf8fd3c9e
Opcode Fuzzy Hash: e8b134a5d090dcc196e0cf9d4ed913a79b3b089cca78df37f2fe145555ab5b38
Instruction Fuzzy Hash: 10323675A007099FCB28CF59C481A6AB7F0FF48710B15C5AEE59ADB3A1EB70E941CB44

Function 00C05C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C05CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00C05D17
FindClose.KERNEL32(?), ref: 00C05D5F

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 9357967d6ecc680a65910e0fc8a91d01805d28389a78e335efc1a4fdfdbee383
Instruction ID: c15ba97f742ca3fe27c38b3184f71e559a1a46e7a9bda540aab58a2e9ae91530
Opcode Fuzzy Hash: 9357967d6ecc680a65910e0fc8a91d01805d28389a78e335efc1a4fdfdbee383
Instruction Fuzzy Hash: F0518975604B019FC714CF28C494A9AB7E4FF49314F1485AEE9AA8B3A1DB30ED45CF91

Function 00BC2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00BC271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BC2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00BC2731

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: fdd938c08d22305a27b932931cc200c90f2931d55f57f8f0f0b38a4e960ea717
Instruction ID: e7cf3ce804244338dd2c7378dfaa591348bbc004c3444dd97ddc5c2b3cb52c8d
Opcode Fuzzy Hash: fdd938c08d22305a27b932931cc200c90f2931d55f57f8f0f0b38a4e960ea717
Instruction Fuzzy Hash: 9631B274911218ABCB21DF68DC89BDDBBF8EF08310F5045EAE81CA6261E7709F818F45

Function 00C051CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C051DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C05238
SetErrorMode.KERNEL32(00000000), ref: 00C052A1

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: d86fef0035d06e3aa37db5a50e199f88e67055f7195d5134ec19dd3aeb348719
Instruction ID: 9132f01c26f04f889c060dd07fc51d7431f5472d7cc22ee79a21517589f1ffbf
Opcode Fuzzy Hash: d86fef0035d06e3aa37db5a50e199f88e67055f7195d5134ec19dd3aeb348719
Instruction Fuzzy Hash: BF313A75A105189FDB00DF54D885BAEBBF4FF49314F058099E809AB3A2DB31E95ACB90

Function 00BF16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00BAFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00BB0668
Part of subcall function 00BAFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00BB0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BF170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BF173A
GetLastError.KERNEL32 ref: 00BF174A

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: ca2b9433b9e5e563ca8bb159ed50eb40557323ba30a750eefdc029906a1802c1
Instruction ID: fd5d93f9c5e711cc09af37c2675e522bbdbd165cb0f3b866a0dc53bb988e486d
Opcode Fuzzy Hash: ca2b9433b9e5e563ca8bb159ed50eb40557323ba30a750eefdc029906a1802c1
Instruction Fuzzy Hash: DC11C4B1414309EFD718AF54DCC6EBEB7F9EB04714B20896EE05653641EB70BC458B60

Function 00BFD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00BFD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00BFD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00BFD650

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: f4b47fb2f39f833cfd7a2009c551897f7a278c083d28ad58c74b89b95111ba5b
Instruction ID: 95dee7e52b35c394db31deeab239d0f6232ab6cb25e558ffbb2fff264384a4fe
Opcode Fuzzy Hash: f4b47fb2f39f833cfd7a2009c551897f7a278c083d28ad58c74b89b95111ba5b
Instruction Fuzzy Hash: D0115E75E05228BFDB208F95DC85FAFBBBCEB45B60F108155F904E7290D6704A058BA1

Function 00BF1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00BF168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00BF16A1
FreeSid.ADVAPI32(?), ref: 00BF16B1

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 0e69ceb98245340f636bbda64501a1dfcb1e3a01dfce46d1f55b64db0451d980
Instruction ID: c0995e17277933bbea463571b9d17abef09f841353ee2cf484f46245e21ad9fb
Opcode Fuzzy Hash: 0e69ceb98245340f636bbda64501a1dfcb1e3a01dfce46d1f55b64db0451d980
Instruction Fuzzy Hash: 9FF0F47195030DFBDB00DFE4DC89EAEBBBCFB08644F5049A5E501E2181E774AA448A54

Function 00BCC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00BCC36C

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 14dd026676d315870975be2c55a960e11758815583eec42563f6e622e0f91fd5
Instruction ID: b56bb89510dd8afeb658e5fbc0a5f0c0e463a9b7c9f0d943da824acfd0c36a50
Opcode Fuzzy Hash: 14dd026676d315870975be2c55a960e11758815583eec42563f6e622e0f91fd5
Instruction Fuzzy Hash: 794126765002196FCB249FB9DC88FAB7BF8EB94314F1042ADF919DB180E6709D818B54

Function 00BED27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00BED28C

Strings

X64, xrefs: 00BED2A8

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 1fb18ba4f47693f40f1645b449344921b858fcb322cbc242dd1b8a277160601c
Instruction ID: f8e9805fb3c3e03ec4c78ecbd1aac51e37331ea012818bbbc09e7706c9ff3331
Opcode Fuzzy Hash: 1fb18ba4f47693f40f1645b449344921b858fcb322cbc242dd1b8a277160601c
Instruction Fuzzy Hash: 4DD0CAB481512DEACBA0CBA0ECC8EDEB7BCBB04305F100292F206A2000DB7096498F20

Function 00BBCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: d727b36425ecbe8f4abc5820c824c25e4f7df048efddeabbaebf7387e7c8384c
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: B9020C71E001199FDF14CFA9C8806EEFBF1EF58314F2581AAD819EB384D771A9458B94

Function 00C068EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C06918
FindClose.KERNEL32(00000000), ref: 00C06961

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 86ad5b7fa49f3436b8cdffc021969782d3fe918dafac40e9b09abbd50133baeb
Instruction ID: 8c11ae4de6527596ba1bb1a023ed843ed1d34c899746a4d45a700e4904ad61f0
Opcode Fuzzy Hash: 86ad5b7fa49f3436b8cdffc021969782d3fe918dafac40e9b09abbd50133baeb
Instruction Fuzzy Hash: EA118E316142019FC710DF29D484B1ABBE5EF85328F15C6A9E4698F6A2CB30EC05CB91

Function 00C037B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00C14891,?,?,00000035,?), ref: 00C037E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00C14891,?,?,00000035,?), ref: 00C037F4

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 51f1d3f71adc382e19a70f7b37b4084fa7e4aa2ccf09776027fae6bcd7da460f
Instruction ID: 00c3342553f07cecfebead8fb74bfdae5063483245a93447a6e394bcb576b0c6
Opcode Fuzzy Hash: 51f1d3f71adc382e19a70f7b37b4084fa7e4aa2ccf09776027fae6bcd7da460f
Instruction Fuzzy Hash: 2BF0E5B06042286AEB2057BA8C8DFEF7AAEEFC8761F000275F509D22D1D9609944C6B0

Function 00BFB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00BFB25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00BFB270

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 173d0fabb46660974fa45c9739727f78934a54c1f16e467f955b4afaa5b1f03a
Instruction ID: 8020bd9e7d73eef41df7f99ab80cfac5c501663c679ab47013233c8c2e3b8bc5
Opcode Fuzzy Hash: 173d0fabb46660974fa45c9739727f78934a54c1f16e467f955b4afaa5b1f03a
Instruction Fuzzy Hash: 5CF01D7181424DABDF159FA0C845BBE7FB4FF04305F108059F955A6191C379C6159F94

Function 00BF10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BF11FC), ref: 00BF10D4
CloseHandle.KERNEL32(?,?,00BF11FC), ref: 00BF10E9

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 86067e7c92c389f1f6ee680bac3e926ba6a89d8077cead03b06fcb36785ac647
Instruction ID: 830350ba43b7c40c7e0c7f309069c43daa435e39d7b72e856b3305ee28deb0f6
Opcode Fuzzy Hash: 86067e7c92c389f1f6ee680bac3e926ba6a89d8077cead03b06fcb36785ac647
Instruction Fuzzy Hash: 85E04F32018601EEE7352B61FC05FBB77E9EB04320B20886EF5A5814B1DB626CA1DB54

Function 00B9CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00BE0C40

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 8c10a23aeb8bc25ab0bd0be8daa939229b4ed2823006065cc347b557ec7ae20d
Instruction ID: f20c4577eda19b3cd957e84a7cb6c24c54f511c4503fbf7cbf9f440d7122aecd
Opcode Fuzzy Hash: 8c10a23aeb8bc25ab0bd0be8daa939229b4ed2823006065cc347b557ec7ae20d
Instruction Fuzzy Hash: 7F326A709102189BCF14EF90D995BEDBBF5FF05304F6480B9E806AB292D775AE49CB60

Function 00BC676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00BC6766,?,?,00000008,?,?,00BCFEFE,00000000), ref: 00BC6998

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f2e063475fc78b754e536b299459917d125975eae510ba6e08e7526d6850a6a2
Instruction ID: 7546c84369e80498800b0c83ddb04a8778c425c66bdc4c5a4e59c269f8d02ccd
Opcode Fuzzy Hash: f2e063475fc78b754e536b299459917d125975eae510ba6e08e7526d6850a6a2
Instruction Fuzzy Hash: F2B129316106099FD719CF28C48AF657BE0FF49364F25869DE89ACF2A2C735E991CB40

Function 00BAB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00BE851F

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 08aa7f3188888b76397cea8b86629aaf45897e6fc1ecb2979474cd6aa3e2120a
Instruction ID: 3892c1eccc86f13c6e30fbf418e59f818f5f6e537411976f45da434c0fbd7e44
Opcode Fuzzy Hash: 08aa7f3188888b76397cea8b86629aaf45897e6fc1ecb2979474cd6aa3e2120a
Instruction Fuzzy Hash: 441260719046299FCB14CF59C880AEEB7F5FF49710F1481AAE859EB252DB309E81CF90

Function 00C0EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00C0EABD

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 30d567fd71c426645236f20d1b0c8f573f4b426578fc330c905bf1763b6cbd66
Instruction ID: d4e79823d86d8b4f9c86c52b5676a9af10fc951c8e301837b6fb96d0eab5f5a2
Opcode Fuzzy Hash: 30d567fd71c426645236f20d1b0c8f573f4b426578fc330c905bf1763b6cbd66
Instruction Fuzzy Hash: 86E04F323102049FC710EF5AD844E9AFBE9AF98760F01846AFC49C73A1DB70E841CBA0

Function 00BB09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00BB03EE), ref: 00BB09DA

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c152ac2ad09c581ff45f713776ea9ee2ce565c702e752d12e85ba31751d56ea6
Instruction ID: af833f6f3f1922a45162f2aa935bc1d155bb51f107208c2b274d37eff9f7c43f
Opcode Fuzzy Hash: c152ac2ad09c581ff45f713776ea9ee2ce565c702e752d12e85ba31751d56ea6
Instruction Fuzzy Hash:

Function 00BB781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00BB798B

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: e65e674b17472d443a00f1c5b018174ab8221d1bec4dedbbd8e8d22793b15326
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 875134616CC6056BDB38896A8C9EBFE23D9DBD2340F1805C9D8C6D7282CED5DE01D356

Function 00BC6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b21575775a831e4f663d02c85bda6ab922901210b2dfa008131726931b0f296c
Instruction ID: 1db6e9efd6ff72ab8b70766b9c8a5bdd60f650c195c2287b7d205bc2e3747398
Opcode Fuzzy Hash: b21575775a831e4f663d02c85bda6ab922901210b2dfa008131726931b0f296c
Instruction Fuzzy Hash: 66322231E79F014DDB239634D822339A689AFB73D5F15D73BE81AB5AA5EF29C4834100

Function 00BACC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4405103641a43a269ceb68236f7fbcbcadf12cc32158c8f259c454aaa7dc2d7b
Instruction ID: 8e6fec4ad74340f6bfb0aa5c2f958a7b5410de8ffe18d15866e7b0f9e11a3e7b
Opcode Fuzzy Hash: 4405103641a43a269ceb68236f7fbcbcadf12cc32158c8f259c454aaa7dc2d7b
Instruction Fuzzy Hash: 2832F831A081958FDF24CF2AC4D467D7FE1EB46310F2885EAD45A9B296E730DD82DB81

Function 00B97920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3b8f0755f23f704335a020e01d26dc5e34728303489240b376059dfc4ae783
Instruction ID: ebd070070c8159120076428b0aeed97cb6cd81861b8ea940ae76cf25913e8d8b
Opcode Fuzzy Hash: fa3b8f0755f23f704335a020e01d26dc5e34728303489240b376059dfc4ae783
Instruction Fuzzy Hash: B8229E70A0460ADFDF14CFA8D881AAEB7F5FF44310F2045BAE816A7391EB35A955CB50

Function 00B991C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69cf1c520fb1b06858ef2a9bc30197792dead2b678f207a95ba576b678fb9f3b
Instruction ID: ca4d3484e0b66ba920fca002b25458f568baf2fcd81323b18e542d883466a0c4
Opcode Fuzzy Hash: 69cf1c520fb1b06858ef2a9bc30197792dead2b678f207a95ba576b678fb9f3b
Instruction Fuzzy Hash: 540297B0E1020AEBDF05EF54D881AADB7F1FF44340F5181A9E4169B391EB31EA51CB95

Function 00BC9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d14760ce7d97bbe591f305e598b4c37113db38e0c38bc054f431485ed25175e8
Instruction ID: c1b8e5153d041f7e91feacc2250589b8934b783499e9becd7f495d5b4e1b40c8
Opcode Fuzzy Hash: d14760ce7d97bbe591f305e598b4c37113db38e0c38bc054f431485ed25175e8
Instruction Fuzzy Hash: A0B1D030D3AF814DD2639639887133AB69CAFBB6D5B91D71BFC1674D62EB2185834140

Function 00BB1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 82405c67f0026d74c8bcbc74bdb9ed677f250fae97c432419381564d541d4ef9
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 019155721090A34BDB69463E85740BEFFE1DB923A135A0FEDD4F2CA1C5EE64C964D620

Function 00BB1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 738f0df6f58590c9a0211575a21147fab0776027587110ea43130c6327f5beb1
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: B99163726090A34BDB29433D84740BEFFE19B923A135A07DDE4F2DA1C5EEA48954E720

Function 00BB19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: a0d4d74db8017628ecc2c1c8958bf9fe4415cb0347481940f728967e8e9037bb
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 3B9182722090E34BDB29427E85740BEFFE19B923A135A0BDDD4F2CA1C5FE94D564D620

Function 00BB7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2414415b84f4bd876da58afe988809b18cd91a7f88bff69b677819e1b1a71951
Instruction ID: 1145b891edeb8cc98dc95a2d3a039ffd26e893c4fe540c971928793b6343a8ce
Opcode Fuzzy Hash: 2414415b84f4bd876da58afe988809b18cd91a7f88bff69b677819e1b1a71951
Instruction Fuzzy Hash: F06137612C870967DE749A2889B5BFE23D8DFC1700F1409D9E882DB2D1DED19E42CB55

Function 00BB7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6cd041076b6fb907a7785937c9366edef88044abbb9c19dcf4fefcd1be3215b
Instruction ID: becbd74bda32b594fdc7c24306f43346ca7a460143bf0970889bc263dfc01cbe
Opcode Fuzzy Hash: b6cd041076b6fb907a7785937c9366edef88044abbb9c19dcf4fefcd1be3215b
Instruction Fuzzy Hash: A96138B16C870957DA389A2888A5BFE23DCDFC2780F1409E9E943DF681DED2DD42C255

Function 00BB1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 565aa89ed6f83514ec6149827765c038d05b39cb3e57f6af6b7477c0d1356437
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 708175726090E34BDB2D463E85744BEFFE1AB923A135A0BDDD4F2CB1C1EE948954D620

Function 00C02046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59064366cf13993a79fe67cf019fd756fe1d93f4d3a38316fcb0d2d5f393a610
Instruction ID: 5a4719893af63d450857615c38777f39f3aa57385bde36c2f1850b78d2640d72
Opcode Fuzzy Hash: 59064366cf13993a79fe67cf019fd756fe1d93f4d3a38316fcb0d2d5f393a610
Instruction Fuzzy Hash: 6921A5326206118BDB38CE79C82677E73E9A754314F15862EE4A7C37D0DE75E904CB80

Function 00C12ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C12B30
DeleteObject.GDI32(00000000), ref: 00C12B43
DestroyWindow.USER32 ref: 00C12B52
GetDesktopWindow.USER32 ref: 00C12B6D
GetWindowRect.USER32(00000000), ref: 00C12B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00C12CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00C12CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C12CF8
GetClientRect.USER32(00000000,?), ref: 00C12D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C12D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C12D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C12D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C12D80
GlobalLock.KERNEL32(00000000), ref: 00C12D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C12D98
GlobalUnlock.KERNEL32(00000000), ref: 00C12DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C12DA8
GlobalFree.KERNEL32(00000000), ref: 00C12DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C12DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00C2FC38,00000000), ref: 00C12DDB
GlobalFree.KERNEL32(00000000), ref: 00C12DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00C12E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00C12E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C12E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C1303F

Strings

AutoIt v3, xrefs: 00C12CF2
, xrefs: 00C12FC5
static, xrefs: 00C12D3A, 00C12E91
DISPLAY, xrefs: 00C12EA2

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 72f7131b9c4539807ef932a787d08783166cbc451dffe9e454c05e4b99a97b2c
Instruction ID: f8dfb43032775f518a0d8a4263a55fcb4f97f02d5ff4e1165cba133b2026640e
Opcode Fuzzy Hash: 72f7131b9c4539807ef932a787d08783166cbc451dffe9e454c05e4b99a97b2c
Instruction Fuzzy Hash: CC025875910214EFDB24DFA4CC89FAE7BB9EB49711F048158F915AB2A1CB70ED42CB60

Function 00C270D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00C2712F
GetSysColorBrush.USER32(0000000F), ref: 00C27160
GetSysColor.USER32(0000000F), ref: 00C2716C
SetBkColor.GDI32(?,000000FF), ref: 00C27186
SelectObject.GDI32(?,?), ref: 00C27195
InflateRect.USER32(?,000000FF,000000FF), ref: 00C271C0
GetSysColor.USER32(00000010), ref: 00C271C8
CreateSolidBrush.GDI32(00000000), ref: 00C271CF
FrameRect.USER32(?,?,00000000), ref: 00C271DE
DeleteObject.GDI32(00000000), ref: 00C271E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00C27230
FillRect.USER32(?,?,?), ref: 00C27262
GetWindowLongW.USER32(?,000000F0), ref: 00C27284

Part of subcall function 00C273E8: GetSysColor.USER32(00000012), ref: 00C27421
Part of subcall function 00C273E8: SetTextColor.GDI32(?,?), ref: 00C27425
Part of subcall function 00C273E8: GetSysColorBrush.USER32(0000000F), ref: 00C2743B
Part of subcall function 00C273E8: GetSysColor.USER32(0000000F), ref: 00C27446
Part of subcall function 00C273E8: GetSysColor.USER32(00000011), ref: 00C27463
Part of subcall function 00C273E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C27471
Part of subcall function 00C273E8: SelectObject.GDI32(?,00000000), ref: 00C27482
Part of subcall function 00C273E8: SetBkColor.GDI32(?,00000000), ref: 00C2748B
Part of subcall function 00C273E8: SelectObject.GDI32(?,?), ref: 00C27498
Part of subcall function 00C273E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00C274B7
Part of subcall function 00C273E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C274CE
Part of subcall function 00C273E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00C274DB

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 3bc639dd5b20faf3e6745207e9237d57742bbdf461f981a6413e415c3cbbefda
Instruction ID: f768c2c52e019e5d441b7136276355b06af64b81f9da3463154c4fd55ed5819d
Opcode Fuzzy Hash: 3bc639dd5b20faf3e6745207e9237d57742bbdf461f981a6413e415c3cbbefda
Instruction Fuzzy Hash: 1DA19D72018311EFDB209F64DC88B6E7BA9FF49320F100B29F962965E1D770E945DB92

Function 00BA8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00BA8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00BE6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00BE6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00BE6F43

Part of subcall function 00BA8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BA8BE8,?,00000000,?,?,?,?,00BA8BBA,00000000,?), ref: 00BA8FC5

SendMessageW.USER32(?,00001053), ref: 00BE6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00BE6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00BE6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00BE6FB7

Strings

0, xrefs: 00BE6DCF

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 7eb318b94fb67d1ca1f0d91c84f642863006bfefa993bb25143b0883f029e98a
Instruction ID: d5353db495ac127866c3d20410a3d5c612a72c8d3a9c8971ecb3debb3158c3f4
Opcode Fuzzy Hash: 7eb318b94fb67d1ca1f0d91c84f642863006bfefa993bb25143b0883f029e98a
Instruction Fuzzy Hash: 8712AB30204281DFDB25CF25C894BAAB7E1FF65350F1884A9E5858BA61CB72EC52DF91

Function 00C12711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00C1273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C1286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00C128A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00C128B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00C12900
GetClientRect.USER32(00000000,?), ref: 00C1290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00C12955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C12964
GetStockObject.GDI32(00000011), ref: 00C12974
SelectObject.GDI32(00000000,00000000), ref: 00C12978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00C12988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C12991
DeleteDC.GDI32(00000000), ref: 00C1299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C129C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00C129DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00C12A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C12A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00C12A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00C12A77
GetStockObject.GDI32(00000011), ref: 00C12A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C12A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00C12A97

Strings

msctls_progress32, xrefs: 00C12A13
AutoIt v3, xrefs: 00C128F8
static, xrefs: 00C1294F, 00C12A71
DISPLAY, xrefs: 00C1295A

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 997182844294858e2b96e736e9cb700da65f551fde973889478b247a78346eb9
Instruction ID: 32fb6fb058f607b58b0165182842eafafe86379c7530c48eb0711abfd4dae60c
Opcode Fuzzy Hash: 997182844294858e2b96e736e9cb700da65f551fde973889478b247a78346eb9
Instruction Fuzzy Hash: 49B17D75A10205AFEB20DF68DC8AFAE7BA9EB08711F048154F915E72E0D770ED41CB94

Function 00C04ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C04AED
GetDriveTypeW.KERNEL32(?,00C2CB68,?,\\.\,00C2CC08), ref: 00C04BCA
SetErrorMode.KERNEL32(00000000,00C2CB68,?,\\.\,00C2CC08), ref: 00C04D36

Strings

Network, xrefs: 00C04C02
CDROM, xrefs: 00C04BFB
iSCSI, xrefs: 00C04CC2
ATAPI, xrefs: 00C04C91
RAID, xrefs: 00C04CBB
SSD, xrefs: 00C04C4A
Fixed, xrefs: 00C04C09
1394, xrefs: 00C04C9F
Virtual, xrefs: 00C04CE5
PhysicalDrive, xrefs: 00C04B76
MMC, xrefs: 00C04CDE
Removable, xrefs: 00C04C10, 00C04C15
RAMDisk, xrefs: 00C04BF4
SSA, xrefs: 00C04CA6
ATA, xrefs: 00C04C98
Fibre, xrefs: 00C04CAD
SAS, xrefs: 00C04CC9
SATA, xrefs: 00C04CD0
USB, xrefs: 00C04CB4
Unknown, xrefs: 00C04BED, 00C04C83
\\.\, xrefs: 00C04B3F
FileBackedVirtual, xrefs: 00C04CEC
SCSI, xrefs: 00C04C8A

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 57ec17061fffc9b675de26155f9f1b33b9fd58ee2d557201a0591f22a1cc4abe
Instruction ID: 401c342b673a0776a3e3e22828f493172e7fd7aa8393ff55224c6ad48a323551
Opcode Fuzzy Hash: 57ec17061fffc9b675de26155f9f1b33b9fd58ee2d557201a0591f22a1cc4abe
Instruction Fuzzy Hash: 9761F2B4205205EBDB0CDF24CA8297E77B0EB04701B648469FE06AB2D1CB31EE85DB45

Function 00C273E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00C27421
SetTextColor.GDI32(?,?), ref: 00C27425
GetSysColorBrush.USER32(0000000F), ref: 00C2743B
GetSysColor.USER32(0000000F), ref: 00C27446
CreateSolidBrush.GDI32(?), ref: 00C2744B
GetSysColor.USER32(00000011), ref: 00C27463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C27471
SelectObject.GDI32(?,00000000), ref: 00C27482
SetBkColor.GDI32(?,00000000), ref: 00C2748B
SelectObject.GDI32(?,?), ref: 00C27498
InflateRect.USER32(?,000000FF,000000FF), ref: 00C274B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C274CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00C274DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C2752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C27554
InflateRect.USER32(?,000000FD,000000FD), ref: 00C27572
DrawFocusRect.USER32(?,?), ref: 00C2757D
GetSysColor.USER32(00000011), ref: 00C2758E
SetTextColor.GDI32(?,00000000), ref: 00C27596
DrawTextW.USER32(?,00C270F5,000000FF,?,00000000), ref: 00C275A8
SelectObject.GDI32(?,?), ref: 00C275BF
DeleteObject.GDI32(?), ref: 00C275CA
SelectObject.GDI32(?,?), ref: 00C275D0
DeleteObject.GDI32(?), ref: 00C275D5
SetTextColor.GDI32(?,?), ref: 00C275DB
SetBkColor.GDI32(?,?), ref: 00C275E5

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: fca8c4ceb13b2b3f66fa247e8918997febc79d378ddb2189041064a2a0c31ea9
Instruction ID: 8bf4ca1c2fc3db4addeb95c166f61cecdb7e4d0499d2be0412a36bcd3d6ef7ee
Opcode Fuzzy Hash: fca8c4ceb13b2b3f66fa247e8918997febc79d378ddb2189041064a2a0c31ea9
Instruction Fuzzy Hash: 5B616F72900218AFDB119FA4DC89BAEBFB9EF08320F104225F911AB6A1D7749941DF90

Function 00C20FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C21128
GetDesktopWindow.USER32 ref: 00C2113D
GetWindowRect.USER32(00000000), ref: 00C21144
GetWindowLongW.USER32(?,000000F0), ref: 00C21199
DestroyWindow.USER32(?), ref: 00C211B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C211ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C2120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C2121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00C21232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00C21245
IsWindowVisible.USER32(00000000), ref: 00C212A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00C212BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00C212D0
GetWindowRect.USER32(00000000,?), ref: 00C212E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00C2130E
GetMonitorInfoW.USER32(00000000,?), ref: 00C21328
CopyRect.USER32(?,?), ref: 00C2133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00C213AA

Strings

tooltips_class32, xrefs: 00C211E6
0, xrefs: 00C210D3
(, xrefs: 00C2131B

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f6259a65920a76486cfeca2d07690e5c20a8bbe44ccabc0bd923074305f66c37
Instruction ID: 8681c79312dabea3c8ab53693c8af9468dd04bf45dc6bc77197e79befae44b88
Opcode Fuzzy Hash: f6259a65920a76486cfeca2d07690e5c20a8bbe44ccabc0bd923074305f66c37
Instruction Fuzzy Hash: C5B1A971608350AFDB10DF64D884B6EBBE5FF98350F04891CF9999B2A1CB31E945CB92

Function 00C20241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C202E5
_wcslen.LIBCMT ref: 00C2031F
_wcslen.LIBCMT ref: 00C20389
_wcslen.LIBCMT ref: 00C203F1
_wcslen.LIBCMT ref: 00C20475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00C204C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C20504

Part of subcall function 00BAF9F2: _wcslen.LIBCMT ref: 00BAF9FD

Part of subcall function 00BF223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BF2258
Part of subcall function 00BF223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BF228A

Strings

FINDITEM, xrefs: 00C20627
ISSELECTED, xrefs: 00C204DD
GETSUBITEMCOUNT, xrefs: 00C20384, 00C2039F
SELECTINVERT, xrefs: 00C2057E
SELECTALL, xrefs: 00C20515
DESELECT, xrefs: 00C2059C
SELECT, xrefs: 00C20548
SELECTCLEAR, xrefs: 00C2052D
GETSELECTEDCOUNT, xrefs: 00C20470, 00C2048B
VIEWCHANGE, xrefs: 00C20675
GETITEMCOUNT, xrefs: 00C20316, 00C20337
GETSELECTED, xrefs: 00C205E1
GETTEXT, xrefs: 00C203EC, 00C20407

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: bedef373ee9c18059b22c6947c047e818643578376d2e6f97d0730fdfe619f56
Instruction ID: 3bf6af4aa551db35da4e68429c21a09861eafa663fd6407aaa43e92b5a8b7ad9
Opcode Fuzzy Hash: bedef373ee9c18059b22c6947c047e818643578376d2e6f97d0730fdfe619f56
Instruction Fuzzy Hash: 6EE1C3312182118FCB14DF24D59193EB7E5FF98314B2445AEF8A69BBA2DB30EE45CB41

Function 00BA8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BA8968
GetSystemMetrics.USER32(00000007), ref: 00BA8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BA899B
GetSystemMetrics.USER32(00000008), ref: 00BA89A3
GetSystemMetrics.USER32(00000004), ref: 00BA89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00BA89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00BA89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00BA8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00BA8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00BA8A5A
GetStockObject.GDI32(00000011), ref: 00BA8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00BA8A81

Part of subcall function 00BA912D: GetCursorPos.USER32(?), ref: 00BA9141
Part of subcall function 00BA912D: ScreenToClient.USER32(00000000,?), ref: 00BA915E
Part of subcall function 00BA912D: GetAsyncKeyState.USER32(00000001), ref: 00BA9183
Part of subcall function 00BA912D: GetAsyncKeyState.USER32(00000002), ref: 00BA919D

SetTimer.USER32(00000000,00000000,00000028,00BA90FC), ref: 00BA8AA8

Strings

AutoIt v3 GUI, xrefs: 00BA8A20

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: eeee6c6b327f817bc51849cdeb68d852359736d4bbec8cbe020adf1eb61e264a
Instruction ID: 8ed374d461e569a7b567b8472653a953c6f6e982a5bf056725cc4a70da2899dd
Opcode Fuzzy Hash: eeee6c6b327f817bc51849cdeb68d852359736d4bbec8cbe020adf1eb61e264a
Instruction Fuzzy Hash: 7AB16971A002099FDB24DFA9CC85BAE3BF5FB48315F144269FA15E7290DB74E841CB51

Function 00BF0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BF1114
Part of subcall function 00BF10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00BF0B9B,?,?,?), ref: 00BF1120
Part of subcall function 00BF10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BF0B9B,?,?,?), ref: 00BF112F
Part of subcall function 00BF10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BF0B9B,?,?,?), ref: 00BF1136
Part of subcall function 00BF10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BF114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BF0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BF0E29
GetLengthSid.ADVAPI32(?), ref: 00BF0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00BF0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BF0E96
GetLengthSid.ADVAPI32(?), ref: 00BF0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00BF0EB5
HeapAlloc.KERNEL32(00000000), ref: 00BF0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BF0EDD
CopySid.ADVAPI32(00000000), ref: 00BF0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BF0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BF0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BF0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BF0F6E
HeapFree.KERNEL32(00000000), ref: 00BF0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BF0F7E
HeapFree.KERNEL32(00000000), ref: 00BF0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BF0F8E
HeapFree.KERNEL32(00000000), ref: 00BF0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00BF0FA1
HeapFree.KERNEL32(00000000), ref: 00BF0FA8

Part of subcall function 00BF1193: GetProcessHeap.KERNEL32(00000008,00BF0BB1,?,00000000,?,00BF0BB1,?), ref: 00BF11A1
Part of subcall function 00BF1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00BF0BB1,?), ref: 00BF11A8
Part of subcall function 00BF1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00BF0BB1,?), ref: 00BF11B7

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 50b0bb2959ede92500b7a2abc0d82637b68b40398be7d1f1d043b76877c51696
Instruction ID: c1b821d5958f4bc1bc87e9e32748f672b90d6c3810afda4764481de6300f81ca
Opcode Fuzzy Hash: 50b0bb2959ede92500b7a2abc0d82637b68b40398be7d1f1d043b76877c51696
Instruction Fuzzy Hash: 6D714D7291020AEBDF20AFA4DC45FBEBBB8FF04310F144555FA19A71A2D771991ACB60

Function 00C1C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C1C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00C2CC08,00000000,?,00000000,?,?), ref: 00C1C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00C1C5A4
_wcslen.LIBCMT ref: 00C1C5F4
_wcslen.LIBCMT ref: 00C1C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00C1C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00C1C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00C1C84D
RegCloseKey.ADVAPI32(?), ref: 00C1C881
RegCloseKey.ADVAPI32(00000000), ref: 00C1C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00C1C960

Strings

REG_EXPAND_SZ, xrefs: 00C1C5CD
REG_DWORD, xrefs: 00C1C804
REG_QWORD, xrefs: 00C1C8C3
REG_MULTI_SZ, xrefs: 00C1C6F5
REG_SZ, xrefs: 00C1C644
REG_BINARY, xrefs: 00C1C913

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 9acb374627ad002bac4f51cdc7235b0b72f5b0e11b24af764af8746929844967
Instruction ID: c91f46d5710a6e726e119d3ca98a72666073079eaec6f14694360acfbe4a5af3
Opcode Fuzzy Hash: 9acb374627ad002bac4f51cdc7235b0b72f5b0e11b24af764af8746929844967
Instruction Fuzzy Hash: E7128B356182009FDB14DF14C891B6AB7E5FF89714F0588ACF85A9B3A2DB31ED41DB81

Function 00C2091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C209C6
_wcslen.LIBCMT ref: 00C20A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C20A54
_wcslen.LIBCMT ref: 00C20A8A
_wcslen.LIBCMT ref: 00C20B06
_wcslen.LIBCMT ref: 00C20B81

Part of subcall function 00BAF9F2: _wcslen.LIBCMT ref: 00BAF9FD

Part of subcall function 00BF2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BF2BFA

Strings

COLLAPSE, xrefs: 00C20B01, 00C20B1C
EXISTS, xrefs: 00C20B7C, 00C20B97
ISCHECKED, xrefs: 00C20CE1
GETSELECTED, xrefs: 00C20C4E
GETITEMCOUNT, xrefs: 00C20C1E
CHECK, xrefs: 00C20A85, 00C20AA0
SELECT, xrefs: 00C20D11
UNCHECK, xrefs: 00C20D3E
GETTEXT, xrefs: 00C20C97
GETTOTALCOUNT, xrefs: 00C209F2, 00C20A17
EXPAND, xrefs: 00C20BF8

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 741d31f15ad3c65a82c978da5f8b3c2e18fb2a2e2b598206732e8d377aa5e65f
Instruction ID: babc4ed9e0345cffd522f29035ac31e9faec7513796313e086ab88e84c74c00d
Opcode Fuzzy Hash: 741d31f15ad3c65a82c978da5f8b3c2e18fb2a2e2b598206732e8d377aa5e65f
Instruction Fuzzy Hash: 49E1B2352083118FCB14DF25D45092AB7E1FF98314F6589AEF8A65B762DB30EE49CB81

Function 00C1C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C1B6AE,?,?), ref: 00C1C9B5
_wcslen.LIBCMT ref: 00C1C9F1
_wcslen.LIBCMT ref: 00C1CA68
_wcslen.LIBCMT ref: 00C1CA9E
_wcslen.LIBCMT ref: 00C1CAF9
_wcslen.LIBCMT ref: 00C1CB2F
_wcslen.LIBCMT ref: 00C1CB7F

Strings

HKEY_CURRENT_CONFIG, xrefs: 00C1CB79, 00C1CB7E
HKCC, xrefs: 00C1CBAC
HKCU, xrefs: 00C1CBCE
HKEY_CLASSES_ROOT, xrefs: 00C1CAF3, 00C1CAF8
HKEY_CURRENT_USER, xrefs: 00C1CBBD
HKLM, xrefs: 00C1CA98, 00C1CA9D
HKU, xrefs: 00C1CBF0
HKCR, xrefs: 00C1CB29, 00C1CB2E
HKEY_USERS, xrefs: 00C1CBDF
HKEY_LOCAL_MACHINE, xrefs: 00C1CA62, 00C1CA67

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 8ddd39f0301f064808725449aae6b1f7ae8f2388f044e31e051ac5283f5f0aac
Instruction ID: b9d915b972ae963984d9fdfa5bebb0dee042fd94699e424f7021bde54d846d2a
Opcode Fuzzy Hash: 8ddd39f0301f064808725449aae6b1f7ae8f2388f044e31e051ac5283f5f0aac
Instruction Fuzzy Hash: 8371E33268412A8BCF21DE68D9D15FF3391AF66754B250268FC7697284E631CEC5E3A0

Function 00C2833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C2835A
_wcslen.LIBCMT ref: 00C2836E
_wcslen.LIBCMT ref: 00C28391
_wcslen.LIBCMT ref: 00C283B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C283F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00C25BF2), ref: 00C2844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C28487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C284CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C28501
FreeLibrary.KERNEL32(?), ref: 00C2850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C2851D
DestroyIcon.USER32(?,?,?,?,?,00C25BF2), ref: 00C2852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C28549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C28555

Strings

.icl, xrefs: 00C28368
.exe, xrefs: 00C28388
.dll, xrefs: 00C283AB

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 365ac7587b12857fb9503c7c3890dceee56cc213d12c2bc0316fc2c54cb607d0
Instruction ID: a98227e8f46ae89e712c1e939c4d674212c64973a8bd451389fc2d3042eec92f
Opcode Fuzzy Hash: 365ac7587b12857fb9503c7c3890dceee56cc213d12c2bc0316fc2c54cb607d0
Instruction Fuzzy Hash: 5D61ED71510225BFEB24DF64EC81BBE77A8BF08B11F104259F825D64D1DBB4EA84CBA0

Function 00B97778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

", xrefs: 00BD5153
Bad directive syntax error, xrefs: 00BD519A
#pragma compile, xrefs: 00B977D3
#OnAutoItStartRegister, xrefs: 00B97817
Cannot parse #include, xrefs: 00BD5279
#comments-start, xrefs: 00B9785F, 00B978B1
#ce, xrefs: 00B978ED
#notrayicon, xrefs: 00B977E7
', xrefs: 00BD5169
#include-once, xrefs: 00B9782F
#requireadmin, xrefs: 00B977FF
#include, xrefs: 00B97847
#cs, xrefs: 00B97873, 00B978C5
Unterminated group of comments, xrefs: 00BD528C
#comments-end, xrefs: 00B978D9

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: dd10e4c1c3bcd5caddf6afde9d96f5f5c4e14bc4f5617fd6a08af521c736cabe
Instruction ID: bf6ad9c6cef17ea8dca7754afef4c14f556914f691d2248c889d45c0fe516f2e
Opcode Fuzzy Hash: dd10e4c1c3bcd5caddf6afde9d96f5f5c4e14bc4f5617fd6a08af521c736cabe
Instruction Fuzzy Hash: 6781DF71694605ABDF24AFA0DC82FBE77E9EF15300F0440B5F805AA292EF74DA15C6A1

Function 00C03E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00C03EF8
_wcslen.LIBCMT ref: 00C03F03
_wcslen.LIBCMT ref: 00C03F5A
_wcslen.LIBCMT ref: 00C03F98
GetDriveTypeW.KERNEL32(?), ref: 00C03FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C0401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C04059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C04087

Strings

open , xrefs: 00C03FE5
set cd door , xrefs: 00C04028
open, xrefs: 00C03F54, 00C03F59
type cdaudio alias cd wait, xrefs: 00C04001
close, xrefs: 00C03EFE, 00C03F18
closed, xrefs: 00C03F08, 00C03F2D, 00C03F46, 00C03F7E, 00C03F97
close cd wait, xrefs: 00C04072
wait, xrefs: 00C04044

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 592f63f20092266875d25e00eaff63c7abcabc26a2009641165132d85edd815f
Instruction ID: b6977df96c51cb94b67ad79aedad1021e16dbb903d5ec1736366b2f58a67527d
Opcode Fuzzy Hash: 592f63f20092266875d25e00eaff63c7abcabc26a2009641165132d85edd815f
Instruction Fuzzy Hash: 0471E2726042029FCB10EF24C88196FB7F4EF94758F5049ADF9A597291EB30EE49CB91

Function 00BF5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00BF5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00BF5A40
SetWindowTextW.USER32(?,?), ref: 00BF5A57
GetDlgItem.USER32(?,000003EA), ref: 00BF5A6C
SetWindowTextW.USER32(00000000,?), ref: 00BF5A72
GetDlgItem.USER32(?,000003E9), ref: 00BF5A82
SetWindowTextW.USER32(00000000,?), ref: 00BF5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00BF5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00BF5AC3
GetWindowRect.USER32(?,?), ref: 00BF5ACC
_wcslen.LIBCMT ref: 00BF5B33
SetWindowTextW.USER32(?,?), ref: 00BF5B6F
GetDesktopWindow.USER32 ref: 00BF5B75
GetWindowRect.USER32(00000000), ref: 00BF5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00BF5BD3
GetClientRect.USER32(?,?), ref: 00BF5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00BF5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00BF5C2F

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: d539819176dd0025fffb454f1cfbf27df11e5519c6c167641cc2f77b31184abd
Instruction ID: 4fc16457c6378824dbc51173c685768041caeba5d32836a5140a3354a393ebaa
Opcode Fuzzy Hash: d539819176dd0025fffb454f1cfbf27df11e5519c6c167641cc2f77b31184abd
Instruction Fuzzy Hash: 4C713A31900B09AFDB30DFA8CE85BAEBBF5FF48705F104558E682A35A0D775A949CB50

Function 00C0FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00C0FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00C0FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00C0FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00C0FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00C0FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00C0FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00C0FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00C0FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00C0FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00C0FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00C0FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00C0FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00C0FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00C0FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00C0FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00C0FECC
GetCursorInfo.USER32(?), ref: 00C0FEDC
GetLastError.KERNEL32 ref: 00C0FF1E

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 55217fe817f9717fb1375da0e431de78da38c2b376c0ca0e97824709f2356bb9
Instruction ID: e51798f24e02cdfd76e08c0c875ea3c38b016761dd265ccd8bb6d3ed2105b1bf
Opcode Fuzzy Hash: 55217fe817f9717fb1375da0e431de78da38c2b376c0ca0e97824709f2356bb9
Instruction Fuzzy Hash: 8E4174B0D0831A6ADB20DFBA8C8595EBFE8FF04754B50452AF11DE7681DB78A941CE90

Function 00BB00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00BB00C6

Part of subcall function 00BB00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00C6070C,00000FA0,F327478B,?,?,?,?,00BD23B3,000000FF), ref: 00BB011C
Part of subcall function 00BB00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00BD23B3,000000FF), ref: 00BB0127
Part of subcall function 00BB00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00BD23B3,000000FF), ref: 00BB0138
Part of subcall function 00BB00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00BB014E
Part of subcall function 00BB00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00BB015C
Part of subcall function 00BB00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00BB016A
Part of subcall function 00BB00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BB0195
Part of subcall function 00BB00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BB01A0

___scrt_fastfail.LIBCMT ref: 00BB00E7

Part of subcall function 00BB00A3: __onexit.LIBCMT ref: 00BB00A9

Strings

SleepConditionVariableCS, xrefs: 00BB0154
InitializeConditionVariable, xrefs: 00BB0148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00BB0122
WakeAllConditionVariable, xrefs: 00BB0162
kernel32.dll, xrefs: 00BB0133

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: e8084637911bfb08d710ec22be3db12de3b3c89a4f36d5f208ad10eb055ccdb1
Instruction ID: 4664affe84f8b848aac0f0ecb9aaccb99f449fdfa3e2358b996aac5c50bb4f17
Opcode Fuzzy Hash: e8084637911bfb08d710ec22be3db12de3b3c89a4f36d5f208ad10eb055ccdb1
Instruction Fuzzy Hash: B021F932A647156BD7347BA8AC46BBF73E4EF05B51F10057AF801B2A91DFF098018A90

Function 00BF30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BF318D
_wcslen.LIBCMT ref: 00BF31F8

Strings

NAME, xrefs: 00BF3335, 00BF3346
TEXT, xrefs: 00BF347C
INSTANCE, xrefs: 00BF3453
REGEXPCLASS, xrefs: 00BF3255, 00BF3266
CLASS, xrefs: 00BF3188, 00BF31A5
CLASSNN, xrefs: 00BF31F3, 00BF3204

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 51aea28a67143d91223270ba196447b06b74cb32b5c2f0f3a2ba0db7cbebfb36
Instruction ID: d2699fdba8e62ed4abe86f81d9bdb8691c3156d7c2d95b96e75f1321dab2f56b
Opcode Fuzzy Hash: 51aea28a67143d91223270ba196447b06b74cb32b5c2f0f3a2ba0db7cbebfb36
Instruction Fuzzy Hash: 79E19432A0051A9BCF14DFB8C4916FDBBF4FF54B50F5481A9EA56A7240DB30AE8D8790

Function 00C044C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00C2CC08), ref: 00C04527
_wcslen.LIBCMT ref: 00C0453B
_wcslen.LIBCMT ref: 00C04599
_wcslen.LIBCMT ref: 00C045F4
_wcslen.LIBCMT ref: 00C0463F
_wcslen.LIBCMT ref: 00C046A7

Part of subcall function 00BAF9F2: _wcslen.LIBCMT ref: 00BAF9FD

GetDriveTypeW.KERNEL32(?,00C56BF0,00000061), ref: 00C04743

Strings

ramdisk, xrefs: 00C046F1
fixed, xrefs: 00C04635, 00C0463A
cdrom, xrefs: 00C0458F, 00C04594
network, xrefs: 00C0469D, 00C046A2
unknown, xrefs: 00C04708
removable, xrefs: 00C045EA, 00C045EF
all, xrefs: 00C04531, 00C04536

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 000f8c27566a4f76eda3ab7ef4fdeee23b963c69c3a3e15d36ef3d9c641218a9
Instruction ID: df2f27bd4efb94d784b0724cca97747938fcc9ae398a09282af5aee5478ddade
Opcode Fuzzy Hash: 000f8c27566a4f76eda3ab7ef4fdeee23b963c69c3a3e15d36ef3d9c641218a9
Instruction Fuzzy Hash: 5FB1D2B16083029FC718DF28C890A7BB7E5AFA5750F50492DF6A6C72D1E731DA44CB52

Function 00C13FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C2CC08), ref: 00C140BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C140CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00C2CC08), ref: 00C140F2
FreeLibrary.KERNEL32(00000000,?,00C2CC08), ref: 00C1413E
StringFromGUID2.OLE32(?,?,00000028,?,00C2CC08), ref: 00C141A8
SysFreeString.OLEAUT32(00000009), ref: 00C14262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C142C8
SysFreeString.OLEAUT32(?), ref: 00C142F2

Strings

kernel32.dll, xrefs: 00C140B6
GetModuleHandleExW, xrefs: 00C140C7

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: ce44527d28574761af231238fc72f8222f6bcebc64857247cd3e6038d7b74eff
Instruction ID: 0321858a64941ef0bc175f21072ba9b58efe972610bfb41caea3938b90be0c94
Opcode Fuzzy Hash: ce44527d28574761af231238fc72f8222f6bcebc64857247cd3e6038d7b74eff
Instruction Fuzzy Hash: 5E124E75A00115EFDB18CF54C884EAEBBB5FF4A314F248098F915AB251D731EE86DBA0

Function 00B9326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00C61990), ref: 00BD2F8D
GetMenuItemCount.USER32(00C61990), ref: 00BD303D
GetCursorPos.USER32(?), ref: 00BD3081
SetForegroundWindow.USER32(00000000), ref: 00BD308A
TrackPopupMenuEx.USER32(00C61990,00000000,?,00000000,00000000,00000000), ref: 00BD309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00BD30A9

Strings

0, xrefs: 00B9327D

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 44e774483936d5a1c6acfe9df2314515bc86cb574198dbccbaf70f4802b316cf
Instruction ID: f55f4025339dbd13fa540c7a2d5b1e8e45891e2c943eb941fc2d97eb2a4e724c
Opcode Fuzzy Hash: 44e774483936d5a1c6acfe9df2314515bc86cb574198dbccbaf70f4802b316cf
Instruction Fuzzy Hash: AD710631644245BEEB218F24CC89FAEFFE4FF05724F2402A6F5146A2E1D7B1A910DB90

Function 00C26CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00C26DEB

Part of subcall function 00B96B57: _wcslen.LIBCMT ref: 00B96B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C26E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C26E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C26E94
DestroyWindow.USER32(?), ref: 00C26EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B90000,00000000), ref: 00C26EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C26EFD
GetDesktopWindow.USER32 ref: 00C26F16
GetWindowRect.USER32(00000000), ref: 00C26F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C26F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C26F4D

Part of subcall function 00BA9944: GetWindowLongW.USER32(?,000000EB), ref: 00BA9952

Strings

tooltips_class32, xrefs: 00C26E58, 00C26EDD
0, xrefs: 00C26D98

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 804d8280c9004a2fe4f4c1e1809a683e6258f54ae8c58d6a79a98954b2e45282
Instruction ID: ff3b26fffd4848922b3f56462345ee00a91c5ca7f43ea7057217e96350e33bd0
Opcode Fuzzy Hash: 804d8280c9004a2fe4f4c1e1809a683e6258f54ae8c58d6a79a98954b2e45282
Instruction Fuzzy Hash: 83716774104244AFDB21CF58EC84FAABBF9FB89304F18041DF99997661C770AA06CF21

Function 00C2911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA9BB2

DragQueryPoint.SHELL32(?,?), ref: 00C29147

Part of subcall function 00C27674: ClientToScreen.USER32(?,?), ref: 00C2769A
Part of subcall function 00C27674: GetWindowRect.USER32(?,?), ref: 00C27710
Part of subcall function 00C27674: PtInRect.USER32(?,?,00C28B89), ref: 00C27720

SendMessageW.USER32(?,000000B0,?,?), ref: 00C291B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C291BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C291DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C29225
SendMessageW.USER32(?,000000B0,?,?), ref: 00C2923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00C29255
SendMessageW.USER32(?,000000B1,?,?), ref: 00C29277
DragFinish.SHELL32(?), ref: 00C2927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C29371

Strings

@GUI_DRAGFILE, xrefs: 00C29320
@GUI_DROPID, xrefs: 00C2929E
@GUI_DRAGID, xrefs: 00C292E9

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 9b51dc241a4c0d6cd23ff0381ddda91e5b058c97266b39292252cb81fe44bc2d
Instruction ID: 28f7468c97a48ebb4b70673779589648bdb9bbe14cbe442129f62fff63aca9fb
Opcode Fuzzy Hash: 9b51dc241a4c0d6cd23ff0381ddda91e5b058c97266b39292252cb81fe44bc2d
Instruction Fuzzy Hash: F6616C71108301AFC711EF64DC85EAFBBE8EF89750F400A6EF595931A1DB709A49CB62

Function 00C0C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C0C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C0C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C0C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C0C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00C0C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C0C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C0C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C0C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C0C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C0C5F0
InternetCloseHandle.WININET(00000000), ref: 00C0C5FB

Strings

, xrefs: 00C0C575

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 40ce148013a1c07462eb8b964f0b8c1dff65697bb920ea9194fc0caf0dee956f
Instruction ID: b749b641102367c849470e205f9f8ad2bd6dccdfdd1967de178a1b250a8aac72
Opcode Fuzzy Hash: 40ce148013a1c07462eb8b964f0b8c1dff65697bb920ea9194fc0caf0dee956f
Instruction Fuzzy Hash: 7D514AB4500604AFDB218FA1CDC8BAF7BBCFB08754F004519F95596690DB34EA45EBA0

Function 00C2856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00C28592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C285A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C285AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C285BA
GlobalLock.KERNEL32(00000000), ref: 00C285C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C285D7
GlobalUnlock.KERNEL32(00000000), ref: 00C285E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C285E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C285F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00C2FC38,?), ref: 00C28611
GlobalFree.KERNEL32(00000000), ref: 00C28621
GetObjectW.GDI32(?,00000018,?), ref: 00C28641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00C28671
DeleteObject.GDI32(?), ref: 00C28699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C286AF

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 55ff38605366c37d70a07ed1dd394a2f3f8492e6d76af66efb6bcb9b482c27ab
Instruction ID: c025fc93925b52d5f1418920fc69a33e898050d0235e8cd247c629b17186a8a6
Opcode Fuzzy Hash: 55ff38605366c37d70a07ed1dd394a2f3f8492e6d76af66efb6bcb9b482c27ab
Instruction Fuzzy Hash: 9C412A75601214EFDB21DFA5DC88FAE7BB8EF89711F104059F915E7660DB30AA06CB60

Function 00C014BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00C01502
VariantCopy.OLEAUT32(?,?), ref: 00C0150B
VariantClear.OLEAUT32(?), ref: 00C01517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00C015FB
VarR8FromDec.OLEAUT32(?,?), ref: 00C01657
VariantInit.OLEAUT32(?), ref: 00C01708
SysFreeString.OLEAUT32(?), ref: 00C0178C
VariantClear.OLEAUT32(?), ref: 00C017D8
VariantClear.OLEAUT32(?), ref: 00C017E7
VariantInit.OLEAUT32(00000000), ref: 00C01823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00C01625
Default, xrefs: 00C016AF

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 68a344f4a39ba6a28ed4b3cd1edcd8fd9f0d7e11ac67ac237bb95cdd79e74c12
Instruction ID: bc3e08542857b54d473bd9945ae4e5ad91439f71d2a44c50f7148060d1766b24
Opcode Fuzzy Hash: 68a344f4a39ba6a28ed4b3cd1edcd8fd9f0d7e11ac67ac237bb95cdd79e74c12
Instruction Fuzzy Hash: 7BD1CE31A08519DBDB10AF66D885B7DF7F5BF45700F1880AAE846AF1C0DB30E945DBA1

Function 00C1B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00C1C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C1B6AE,?,?), ref: 00C1C9B5
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1C9F1
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1CA68
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C1B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C1B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00C1B80A
RegCloseKey.ADVAPI32(?), ref: 00C1B87E
RegCloseKey.ADVAPI32(?), ref: 00C1B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C1B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C1B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00C1B922
FreeLibrary.KERNEL32(00000000), ref: 00C1B983
RegCloseKey.ADVAPI32(00000000), ref: 00C1B994

Strings

RegDeleteKeyExW, xrefs: 00C1B8FE
advapi32.dll, xrefs: 00C1B8ED

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: c11480e3b4aa705dd2bfdf1388e545134802827e83097785e9a71b36fd37ebba
Instruction ID: 302e717c8437e04163f57723605f456ff7dda15cc98882570373c37072ad28f2
Opcode Fuzzy Hash: c11480e3b4aa705dd2bfdf1388e545134802827e83097785e9a71b36fd37ebba
Instruction Fuzzy Hash: BBC18D31208201AFD714DF24C495F6ABBE5BF85318F14859CF4AA4B2A2CB71ED86DF91

Function 00C1255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C125D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00C125E8
CreateCompatibleDC.GDI32(?), ref: 00C125F4
SelectObject.GDI32(00000000,?), ref: 00C12601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00C1266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00C126AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00C126D0
SelectObject.GDI32(?,?), ref: 00C126D8
DeleteObject.GDI32(?), ref: 00C126E1
DeleteDC.GDI32(?), ref: 00C126E8
ReleaseDC.USER32(00000000,?), ref: 00C126F3

Strings

(, xrefs: 00C1268D

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 31dbbdd202b5057716e6bdf47674fc980c7586f68210a6c7e3a1cbc16aff1e46
Instruction ID: cf0f9e6795b0a25ca0e71f9d9ab526db1ef00724f9a1ef1352636d47758ad2ef
Opcode Fuzzy Hash: 31dbbdd202b5057716e6bdf47674fc980c7586f68210a6c7e3a1cbc16aff1e46
Instruction Fuzzy Hash: 4661E175D00219EFCF14CFA8D885AAEBBF6FF48310F208529E955A7250D770A951DFA0

Function 00BCDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00BCDAA1

Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD659
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD66B
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD67D
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD68F
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD6A1
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD6B3
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD6C5
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD6D7
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD6E9
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD6FB
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD70D
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD71F
Part of subcall function 00BCD63C: _free.LIBCMT ref: 00BCD731

_free.LIBCMT ref: 00BCDA96

Part of subcall function 00BC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000), ref: 00BC29DE
Part of subcall function 00BC29C8: GetLastError.KERNEL32(00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000,00000000), ref: 00BC29F0

_free.LIBCMT ref: 00BCDAB8
_free.LIBCMT ref: 00BCDACD
_free.LIBCMT ref: 00BCDAD8
_free.LIBCMT ref: 00BCDAFA
_free.LIBCMT ref: 00BCDB0D
_free.LIBCMT ref: 00BCDB1B
_free.LIBCMT ref: 00BCDB26
_free.LIBCMT ref: 00BCDB5E
_free.LIBCMT ref: 00BCDB65
_free.LIBCMT ref: 00BCDB82
_free.LIBCMT ref: 00BCDB9A

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: f260df6e992a66283ab6fd0ad5fd8babe06d98a4c199615df65f564b9b3dc7ff
Instruction ID: c5196cba14ae1c08ce96667cfb7457aaea2dc32b8209a725478a6dd5b784d3c1
Opcode Fuzzy Hash: f260df6e992a66283ab6fd0ad5fd8babe06d98a4c199615df65f564b9b3dc7ff
Instruction Fuzzy Hash: A53136366047059FEB22AB39E845F5AB7E9FF04311F1544BDF489D72A1DA71AC80CB24

Function 00BF365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00BF369C
_wcslen.LIBCMT ref: 00BF36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00BF3797
GetClassNameW.USER32(?,?,00000400), ref: 00BF380C
GetDlgCtrlID.USER32(?), ref: 00BF385D
GetWindowRect.USER32(?,?), ref: 00BF3882
GetParent.USER32(?), ref: 00BF38A0
ScreenToClient.USER32(00000000), ref: 00BF38A7
GetClassNameW.USER32(?,?,00000100), ref: 00BF3921
GetWindowTextW.USER32(?,?,00000400), ref: 00BF395D

Strings

%s%u, xrefs: 00BF3734

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: aac1df213fd0b2a33c035916c540adf7f9076544f7d62ec2e1241749e315a891
Instruction ID: 2c217312f7f345256d03d92a3fec5456fc31f949d9c3ad40aefea3c7f8111c11
Opcode Fuzzy Hash: aac1df213fd0b2a33c035916c540adf7f9076544f7d62ec2e1241749e315a891
Instruction Fuzzy Hash: 3F91917120460AAFD715DF24C885FBAF7E8FF44750F008569FA9AC3190DB74AA49CB91

Function 00BF4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00BF4994
GetWindowTextW.USER32(?,?,00000400), ref: 00BF49DA
_wcslen.LIBCMT ref: 00BF49EB
CharUpperBuffW.USER32(?,00000000), ref: 00BF49F7
_wcsstr.LIBVCRUNTIME ref: 00BF4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00BF4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00BF4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00BF4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00BF4B20
GetWindowRect.USER32(?,?), ref: 00BF4B8B

Strings

ThumbnailClass, xrefs: 00BF4A6F, 00BF4AF1

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: b41cbdae1360e5eb95f74938180d71af67a76e0c654d0cfc3ea3b778860f21ee
Instruction ID: d1f11494bfa6779794f446be6de2b0d3be3308a884e8981e379105d614c1e6e5
Opcode Fuzzy Hash: b41cbdae1360e5eb95f74938180d71af67a76e0c654d0cfc3ea3b778860f21ee
Instruction Fuzzy Hash: 47918B311082099FDB14CF14C985BBBB7E8EF84314F0484A9FE859B196DB70ED49CBA1

Function 00C28D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C28D5A
GetFocus.USER32 ref: 00C28D6A
GetDlgCtrlID.USER32(00000000), ref: 00C28D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00C28E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C28ECF
GetMenuItemCount.USER32(?), ref: 00C28EEC
GetMenuItemID.USER32(?,00000000), ref: 00C28EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C28F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C28F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C28FA1

Strings

0, xrefs: 00C28E9F

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 8b7e41dcfe19aae32ccd3109798231fe0aaf4487afb1541155ab663ded7ce3c3
Instruction ID: f7a74a8adc503d615f132ecd9eaa415de7c16a6524cad240365afde53d51f742
Opcode Fuzzy Hash: 8b7e41dcfe19aae32ccd3109798231fe0aaf4487afb1541155ab663ded7ce3c3
Instruction Fuzzy Hash: 1581D1715093219FDB20CF14E984AAF7BE9FF88314F040919F99497A91DB70DA09DBA1

Function 00BFBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00C61990,000000FF,00000000,00000030), ref: 00BFBFAC
SetMenuItemInfoW.USER32(00C61990,00000004,00000000,00000030), ref: 00BFBFE1
Sleep.KERNEL32(000001F4), ref: 00BFBFF3
GetMenuItemCount.USER32(?), ref: 00BFC039
GetMenuItemID.USER32(?,00000000), ref: 00BFC056
GetMenuItemID.USER32(?,-00000001), ref: 00BFC082
GetMenuItemID.USER32(?,?), ref: 00BFC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BFC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BFC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BFC145

Strings

0, xrefs: 00BFBF3D

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 52fae64d0c1104f88b2d8b1f3f5fc61c80428391ed473e39b5204fbae83f6bee
Instruction ID: 2febd84b7ba6d2d49d02f409d5441705d73ce3c4769956e2e3ea21955e3bf7a2
Opcode Fuzzy Hash: 52fae64d0c1104f88b2d8b1f3f5fc61c80428391ed473e39b5204fbae83f6bee
Instruction Fuzzy Hash: 5F61717090024EAFDF21CF64DE88BBE7FE8EB05344F144195EA11A3291C775AE99DB60

Function 00BFDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00BFDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00BFDC46
_wcslen.LIBCMT ref: 00BFDC50
_wcsstr.LIBVCRUNTIME ref: 00BFDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00BFDCBC

Strings

04090000, xrefs: 00BFDCF2
%u.%u.%u.%u, xrefs: 00BFDD9A
DefaultLangCodepage, xrefs: 00BFDD1F
\VarFileInfo\Translation, xrefs: 00BFDCB4
StringFileInfo\, xrefs: 00BFDC8F

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 84e2d77e67df5e8a7376aa6ef385f28f8dd259c9c9054d7ee3f054658098d652
Instruction ID: e72e69ddf67a1151d85933bd84211a993e449f6f37c0574f735337eeae62646a
Opcode Fuzzy Hash: 84e2d77e67df5e8a7376aa6ef385f28f8dd259c9c9054d7ee3f054658098d652
Instruction Fuzzy Hash: 0F4102369442057BEB14A7649C83EFF77ECEF56710F5000B9FA00A7182EBB4990597A9

Function 00C1CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C1CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00C1CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C1CD48

Part of subcall function 00C1CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00C1CCAA
Part of subcall function 00C1CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00C1CCBD
Part of subcall function 00C1CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C1CCCF
Part of subcall function 00C1CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C1CD05
Part of subcall function 00C1CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C1CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00C1CCF3

Strings

RegDeleteKeyExW, xrefs: 00C1CCC9
advapi32.dll, xrefs: 00C1CCB8

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 1871f73aee693ea6e0482ee76eedf477362940eee9c5bee8faa75330a6aa2d06
Instruction ID: c2b86226828ce7e68f114ec5e1b6ff637a39b871f84c4c5f506ebb1a0b87718a
Opcode Fuzzy Hash: 1871f73aee693ea6e0482ee76eedf477362940eee9c5bee8faa75330a6aa2d06
Instruction Fuzzy Hash: 2D317A71941129BBDB209B55ECC8FFFBB7CEF06740F000165F916E2640DA749E86EAA0

Function 00C03D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C03D40
_wcslen.LIBCMT ref: 00C03D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C03D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C03DBE
RemoveDirectoryW.KERNEL32(?), ref: 00C03DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C03E55
CloseHandle.KERNEL32(00000000), ref: 00C03E60
CloseHandle.KERNEL32(00000000), ref: 00C03E6B

Strings

\??\%s, xrefs: 00C03D5B
\, xrefs: 00C03D77
:, xrefs: 00C03D82

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 3f95dca5d7d9ba7cdde9ef9e7898c31f6d958b4171d288a1f7788c809ecec371
Instruction ID: a5ddf12b891dd18eac5d2ef7b892c4bd62081c0827e192602d86b206f15ec4eb
Opcode Fuzzy Hash: 3f95dca5d7d9ba7cdde9ef9e7898c31f6d958b4171d288a1f7788c809ecec371
Instruction Fuzzy Hash: 5F31A175A20249ABDB219BA0DC89FEF37BCEF88710F1041B6F515D61A0EB749745CB24

Function 00BFE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00BFE6B4

Part of subcall function 00BAE551: timeGetTime.WINMM(?,?,00BFE6D4), ref: 00BAE555

Sleep.KERNEL32(0000000A), ref: 00BFE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00BFE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00BFE727
SetActiveWindow.USER32 ref: 00BFE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00BFE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00BFE773
Sleep.KERNEL32(000000FA), ref: 00BFE77E
IsWindow.USER32 ref: 00BFE78A
EndDialog.USER32(00000000), ref: 00BFE79B

Strings

BUTTON, xrefs: 00BFE719

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: eb0dd3aac2c8ff3285a36a93186a0e0619c6bdd04ad93d2dd4a29fa227d6eb97
Instruction ID: 07b2eec794906c034d86d4e6d0401b46913411e76aaa3f72a0dec1376b386dea
Opcode Fuzzy Hash: eb0dd3aac2c8ff3285a36a93186a0e0619c6bdd04ad93d2dd4a29fa227d6eb97
Instruction Fuzzy Hash: 92219270210A08AFEB206F66ECCDB3D3BA9F754749B040465FA22835B1DBB1DC199B24

Function 00BFE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00BFEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00BFEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BFEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00BFEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00BFEAA7

Strings

open , xrefs: 00BFEA0C
close PlayMe, xrefs: 00BFEA6E, 00BFEA9B
alias PlayMe, xrefs: 00BFEA36
play PlayMe wait, xrefs: 00BFEA91
status PlayMe mode, xrefs: 00BFEA58
play PlayMe, xrefs: 00BFEAA2

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 89624318dd05aa34e7744c7b084f0afdd5a12c4de8e7396adebd5df08271600e
Instruction ID: 9de08610f6bdad633028d52ce1d8a4d5ff8b54c4b99e604c113920ec1aa497d0
Opcode Fuzzy Hash: 89624318dd05aa34e7744c7b084f0afdd5a12c4de8e7396adebd5df08271600e
Instruction Fuzzy Hash: 8C115175A902197DDB20A7A5DC4AEFFAAFCEBD1F01F400579B911A30E1EAB04949C5B0

Function 00BF9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00BFA012
SetKeyboardState.USER32(?), ref: 00BFA07D
GetAsyncKeyState.USER32(000000A0), ref: 00BFA09D
GetKeyState.USER32(000000A0), ref: 00BFA0B4
GetAsyncKeyState.USER32(000000A1), ref: 00BFA0E3
GetKeyState.USER32(000000A1), ref: 00BFA0F4
GetAsyncKeyState.USER32(00000011), ref: 00BFA120
GetKeyState.USER32(00000011), ref: 00BFA12E
GetAsyncKeyState.USER32(00000012), ref: 00BFA157
GetKeyState.USER32(00000012), ref: 00BFA165
GetAsyncKeyState.USER32(0000005B), ref: 00BFA18E
GetKeyState.USER32(0000005B), ref: 00BFA19C

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 49ed54290f748513e19d184aa9a442af504afabb98fc92ee4eb86e8a00dc2fa4
Instruction ID: 9baac7127823300e279d83d6e34a65fc56a4f594e9e489af74747599ffb23ded
Opcode Fuzzy Hash: 49ed54290f748513e19d184aa9a442af504afabb98fc92ee4eb86e8a00dc2fa4
Instruction Fuzzy Hash: 1451B76090478C29FB39EB708855BFAAFF4DF12380F0885D9D6C6575C2DA64AB4CC762

Function 00BF5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00BF5CE2
GetWindowRect.USER32(00000000,?), ref: 00BF5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00BF5D59
GetDlgItem.USER32(?,00000002), ref: 00BF5D69
GetWindowRect.USER32(00000000,?), ref: 00BF5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00BF5DCF
GetDlgItem.USER32(?,000003E9), ref: 00BF5DDD
GetWindowRect.USER32(00000000,?), ref: 00BF5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00BF5E31
GetDlgItem.USER32(?,000003EA), ref: 00BF5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00BF5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00BF5E67

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 6b94eb9b64df10e54091e90627ea65c574a12a525df08b863608249d2297fe3c
Instruction ID: 75af86844b3fa1ff09c296c22cf4900783f0592f97fb08a971fc1f824650bdf7
Opcode Fuzzy Hash: 6b94eb9b64df10e54091e90627ea65c574a12a525df08b863608249d2297fe3c
Instruction Fuzzy Hash: 28512E74A10609AFDB28CF68CD89BAEBBF5FB48300F108169F615E7690D7709E05CB50

Function 00BA8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BA8BE8,?,00000000,?,?,?,?,00BA8BBA,00000000,?), ref: 00BA8FC5

DestroyWindow.USER32(?), ref: 00BA8C81
KillTimer.USER32(00000000,?,?,?,?,00BA8BBA,00000000,?), ref: 00BA8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00BE6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00BA8BBA,00000000,?), ref: 00BE69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00BA8BBA,00000000,?), ref: 00BE69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00BA8BBA,00000000), ref: 00BE69D4
DeleteObject.GDI32(00000000), ref: 00BE69E6

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 1fe5f49bf84223bc1c205290914726e7562924f7c51ab481696b9cf259753264
Instruction ID: 953c48b2eff49b9fb7f0881936b53b23cf43adbdb262b2c0c2f1c91334b4aaab
Opcode Fuzzy Hash: 1fe5f49bf84223bc1c205290914726e7562924f7c51ab481696b9cf259753264
Instruction Fuzzy Hash: E461A930406640DFCB359F16C988B2DB7F1FB56362F1845ACE4429B9A0DBB5A891CF90

Function 00BA9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00BA9944: GetWindowLongW.USER32(?,000000EB), ref: 00BA9952

GetSysColor.USER32(0000000F), ref: 00BA9862

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 13b2b7cc3e676a7962731953950eef8d8f0e49a456215fd6d3f8d38d95b56082
Instruction ID: f5f192f43ba374db49637eb89f5fbb846919cce2e051e3d9e68d95178134465c
Opcode Fuzzy Hash: 13b2b7cc3e676a7962731953950eef8d8f0e49a456215fd6d3f8d38d95b56082
Instruction Fuzzy Hash: 4A418D31148640AADB309B399C85BBE3BE5EB17361F144695E9B28B1E1C7799C42EB10

Function 00BF96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00BDF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00BF9717
LoadStringW.USER32(00000000,?,00BDF7F8,00000001), ref: 00BF9720

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00BDF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00BF9742
LoadStringW.USER32(00000000,?,00BDF7F8,00000001), ref: 00BF9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00BF9866

Strings

Line %d:, xrefs: 00BF97A0
^ ERROR, xrefs: 00BF97FB
Error: , xrefs: 00BF981D
Line %d (File "%s"):, xrefs: 00BF978F
%s (%d) : ==> %s: %s %s, xrefs: 00BF984A

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 4d3a3fea24488e919842d3005aa2b57beec4817bf79cc6aec1c5e7edef4ecc66
Instruction ID: 1de2c3da2ba17839eca5e043671ea32799f2a89a9ffcd22ccbcd5c878eea2605
Opcode Fuzzy Hash: 4d3a3fea24488e919842d3005aa2b57beec4817bf79cc6aec1c5e7edef4ecc66
Instruction Fuzzy Hash: D2411A72804209AACF14EBE4DD86EFEB7B8AF15740F5040B9F60573092EB656F49CB61

Function 00BF06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B96B57: _wcslen.LIBCMT ref: 00B96B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00BF07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00BF07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00BF07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00BF0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00BF082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BF0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BF083C

Strings

SOFTWARE\Classes\, xrefs: 00BF070E
\IPC$, xrefs: 00BF0784
\CLSID, xrefs: 00BF0724

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 5c73522eb5af03066f1d547f4a29720f9906fdafcf2cf1480c04c9fd0bbbecaf
Instruction ID: c07732ce4b9d4703884ae81db7df292284d3d1fa8208791783ba9e7173545006
Opcode Fuzzy Hash: 5c73522eb5af03066f1d547f4a29720f9906fdafcf2cf1480c04c9fd0bbbecaf
Instruction Fuzzy Hash: CC410872C2022DABDF21EBA4DC95DFDB7B8FF04750B0441A9E911A3161EB709E49CB90

Function 00C23F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00C2403B
CreateCompatibleDC.GDI32(00000000), ref: 00C24042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00C24055
SelectObject.GDI32(00000000,00000000), ref: 00C2405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00C24068
DeleteDC.GDI32(00000000), ref: 00C24072
GetWindowLongW.USER32(?,000000EC), ref: 00C2407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00C24092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00C2409E

Strings

static, xrefs: 00C23FD3

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: daa96dc1d9c5aed5b9a4fb2edab33145fec1b581327cdf2d0564240cf2f39202
Instruction ID: 1bd77d110c4f36fb07152aabbfce5b266b73e086cf303493badeabb0b6bee48b
Opcode Fuzzy Hash: daa96dc1d9c5aed5b9a4fb2edab33145fec1b581327cdf2d0564240cf2f39202
Instruction Fuzzy Hash: DB31AD32101225ABDF219FA8EC49FDE3BA8FF0D720F100211FA29E24A0C775D961DB90

Function 00C13C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C13C5C
CoInitialize.OLE32(00000000), ref: 00C13C8A
CoUninitialize.OLE32 ref: 00C13C94
_wcslen.LIBCMT ref: 00C13D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00C13DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00C13ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00C13F0E
CoGetObject.OLE32(?,00000000,00C2FB98,?), ref: 00C13F2D
SetErrorMode.KERNEL32(00000000), ref: 00C13F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C13FC4
VariantClear.OLEAUT32(?), ref: 00C13FD8

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 497195daea1bf4e70389a219d8b91173fcb27e7e0b017f9a26d43c03bb881007
Instruction ID: d8215162291a7a7fa1700bfddb9a774b3dd61d7f9730fe2a1d8d1b7ff0a0fb56
Opcode Fuzzy Hash: 497195daea1bf4e70389a219d8b91173fcb27e7e0b017f9a26d43c03bb881007
Instruction Fuzzy Hash: 7DC168716083459FD700DF68C88496BB7E9FF8A748F00496DF98A9B250D730EE86DB52

Function 00C07A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C07AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C07B8F
SHGetDesktopFolder.SHELL32(?), ref: 00C07BA3
CoCreateInstance.OLE32(00C2FD08,00000000,00000001,00C56E6C,?), ref: 00C07BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C07C74
CoTaskMemFree.OLE32(?,?), ref: 00C07CCC
SHBrowseForFolderW.SHELL32(?), ref: 00C07D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C07D7A
CoTaskMemFree.OLE32(00000000), ref: 00C07D81
CoTaskMemFree.OLE32(00000000), ref: 00C07DD6
CoUninitialize.OLE32 ref: 00C07DDC

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 1ef235ccafeec5e30d097223fc0c5ebd8912a68d7c0366b1e586ffa67f072c31
Instruction ID: 9fdfde5f1834ee7047af36279ed040774985a56f8f5e5312ab7228c68360c73b
Opcode Fuzzy Hash: 1ef235ccafeec5e30d097223fc0c5ebd8912a68d7c0366b1e586ffa67f072c31
Instruction Fuzzy Hash: F8C12C75A04209AFCB14DF64C888EAEBBF9FF48304B1485A9F815DB661D730EE45CB90

Function 00C2541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C25504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C25515
CharNextW.USER32(00000158), ref: 00C25544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C25585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C2559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C255AC

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: acad9be595055620a136dfa7aa60bf7a5c20da1defc2b29e89f11f36b4c3bf24
Instruction ID: 4e3b33fbec8c6ce97aeb4f36ded5c56ae4810814f3700f2bf2ce988b949a4944
Opcode Fuzzy Hash: acad9be595055620a136dfa7aa60bf7a5c20da1defc2b29e89f11f36b4c3bf24
Instruction Fuzzy Hash: 2E61AD74900628AFDF20EF55EC84AFF7BB9EF09720F108155F925A7A90D7708A81DB60

Function 00BEFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00BEFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00BEFB08
VariantInit.OLEAUT32(?), ref: 00BEFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00BEFB3A
VariantCopy.OLEAUT32(?,?), ref: 00BEFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00BEFBA1
VariantClear.OLEAUT32(?), ref: 00BEFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00BEFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BEFBCC
VariantClear.OLEAUT32(?), ref: 00BEFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BEFBE9

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6acdb23913054691833feaa7937758db888328f86f2c5be4040e3ad85850a001
Instruction ID: 3af932fc5345bbb9fdc50c6733dfec2f5850338912f7323426651122e9cd485a
Opcode Fuzzy Hash: 6acdb23913054691833feaa7937758db888328f86f2c5be4040e3ad85850a001
Instruction Fuzzy Hash: E1415135A1021A9FCF10EF65DC94ABEBBF9EF48344F0080A5E915A7261D734E946CF90

Function 00BF9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00BF9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00BF9D22
GetKeyState.USER32(000000A0), ref: 00BF9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00BF9D57
GetKeyState.USER32(000000A1), ref: 00BF9D6C
GetAsyncKeyState.USER32(00000011), ref: 00BF9D84
GetKeyState.USER32(00000011), ref: 00BF9D96
GetAsyncKeyState.USER32(00000012), ref: 00BF9DAE
GetKeyState.USER32(00000012), ref: 00BF9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00BF9DD8
GetKeyState.USER32(0000005B), ref: 00BF9DEA

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 346a9d0e1a711b9ce90d07a71a759a9fe321528749c52c7e5d31eb529339a486
Instruction ID: a00684940e8f1b121e858c2ac6b40e7d59afaa66d806786cc4877a33fb312821
Opcode Fuzzy Hash: 346a9d0e1a711b9ce90d07a71a759a9fe321528749c52c7e5d31eb529339a486
Instruction Fuzzy Hash: C941A634504BCD69FF35966488443B9BEE0EF12344F1480EADBC6575C2DBA599CCC7A2

Function 00C1055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C105BC
inet_addr.WSOCK32(?), ref: 00C1061C
gethostbyname.WSOCK32(?), ref: 00C10628
IcmpCreateFile.IPHLPAPI ref: 00C10636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C106C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C106E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00C107B9
WSACleanup.WSOCK32 ref: 00C107BF

Strings

Ping, xrefs: 00C10676

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 155e1b95c511117e14e399c76e78944c4611e49c4f5225480282505646954180
Instruction ID: d295c591d86118c0717d4f08b3e861a1144a2595cb5771f55877ee2a91cec7fc
Opcode Fuzzy Hash: 155e1b95c511117e14e399c76e78944c4611e49c4f5225480282505646954180
Instruction Fuzzy Hash: 42919C356082019FD720DF15C889F5ABBE0AF45318F2485A9F4698B6A2C7B0EDC1DFD1

Function 00C18CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00C18CF3

Part of subcall function 00BF8E54: _wcslen.LIBCMT ref: 00BF8E77

_wcslen.LIBCMT ref: 00C18D4E
_wcslen.LIBCMT ref: 00C18D9C
_wcslen.LIBCMT ref: 00C18DDC
_wcslen.LIBCMT ref: 00C18E6E

Strings

stdcall, xrefs: 00C18DD6, 00C18DDB
cdecl, xrefs: 00C18D48, 00C18D4D
none, xrefs: 00C18E65, 00C18E6A
winapi, xrefs: 00C18D96, 00C18D9B

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: f5d56f09935d4ff36984bcd94da399f54ce2c33ef34ab65dcd1ef92cab105f2d
Instruction ID: 51b58bc0675cef08cfe60d13405a8d6368547765831f3d2f0a7b9b9d76a67ed1
Opcode Fuzzy Hash: f5d56f09935d4ff36984bcd94da399f54ce2c33ef34ab65dcd1ef92cab105f2d
Instruction Fuzzy Hash: 1851A335A081169BCF14DF6CC9409FEB7E5BF66724B204269E825E72C5DB30DE88D790

Function 00C1372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00C13774
CoUninitialize.OLE32 ref: 00C1377F
CoCreateInstance.OLE32(?,00000000,00000017,00C2FB78,?), ref: 00C137D9
IIDFromString.OLE32(?,?), ref: 00C1384C
VariantInit.OLEAUT32(?), ref: 00C138E4
VariantClear.OLEAUT32(?), ref: 00C13936

Strings

Failed to create object, xrefs: 00C137E4, 00C1389A
Invalid parameter, xrefs: 00C13865
NULL Pointer assignment, xrefs: 00C1381E

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 32654b2f3e38d321fbe07e991a6a18180a8ce9cfcb0fee85ba6913af38431d5e
Instruction ID: 770816ff6c57cb2e7c84423dd03dff72a25b28dceafca1ac2dc2610e99fd057a
Opcode Fuzzy Hash: 32654b2f3e38d321fbe07e991a6a18180a8ce9cfcb0fee85ba6913af38431d5e
Instruction Fuzzy Hash: DA61B2706083419FD711DF54C888BAEB7E4EF46718F10445AF995972D1C770EE88DB92

Function 00C03388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C033CF

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C033F0

Strings

Incorrect parameters to object property !, xrefs: 00C034AB
^ ERROR , xrefs: 00C0349E
"%s" (%d) : ==> %s:, xrefs: 00C03522
Error: , xrefs: 00C034D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00C03504
Line %d (File "%s"):, xrefs: 00C03443, 00C0345C

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 5339b1d4dd104622248f43df5fd89b7129bbd50377af63ccd6a89fac51748d11
Instruction ID: 04dbd063ede44af4d4622066e099aad9bd9d8a305a06c479e554cdd4bd766eb5
Opcode Fuzzy Hash: 5339b1d4dd104622248f43df5fd89b7129bbd50377af63ccd6a89fac51748d11
Instruction Fuzzy Hash: 79517D31900209AADF15EBE4CD82EFEB7B8AF14741F1441B5F905721A2EB716F98DB60

Function 00BFB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BFB5FC
_wcslen.LIBCMT ref: 00BFB608
_wcslen.LIBCMT ref: 00BFB64D
_wcslen.LIBCMT ref: 00BFB68C
_wcslen.LIBCMT ref: 00BFB6C7

Strings

KEYS, xrefs: 00BFB647, 00BFB64C
EXISTS, xrefs: 00BFB686, 00BFB68B
APPEND, xrefs: 00BFB6C1, 00BFB6C6
REMOVE, xrefs: 00BFB602, 00BFB607

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 0ca88cf9195decaec63c81ce3dcdef832b7e4b8667572ce46636c7ccee6bfb06
Instruction ID: 1dd5c9be605dd0cc4a17decde5c327cef6554fd99f7ffa1b2f4a6cb52cea6aa8
Opcode Fuzzy Hash: 0ca88cf9195decaec63c81ce3dcdef832b7e4b8667572ce46636c7ccee6bfb06
Instruction Fuzzy Hash: 6641A632A0012AABCB106F7DC8909BEF7E5FF65794B2441A9E661D7284F731CD89C790

Function 00C05393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C053A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C05416
GetLastError.KERNEL32 ref: 00C05420
SetErrorMode.KERNEL32(00000000,READY), ref: 00C054A7

Strings

NOTREADY, xrefs: 00C0544B
READONLY, xrefs: 00C05452
UNKNOWN, xrefs: 00C05444
INVALID, xrefs: 00C05459
READY, xrefs: 00C05460, 00C05468

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: dfe7741c31336fcb2abdb9a231bd7ca47fef054cbe604be290687f3c36da5ad8
Instruction ID: 699e68a6f6b1819586911ccd234c01fbd5b63f04befd6d20f0d9f05ce3bc91bf
Opcode Fuzzy Hash: dfe7741c31336fcb2abdb9a231bd7ca47fef054cbe604be290687f3c36da5ad8
Instruction Fuzzy Hash: 3C319D75A006059FCB10DFA8C485BEEBBB8EB04305F548069E915CB2D2DB70DE86CF91

Function 00C23C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00C23C79
SetMenu.USER32(?,00000000), ref: 00C23C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C23D10
IsMenu.USER32(?), ref: 00C23D24
CreatePopupMenu.USER32 ref: 00C23D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C23D5B
DrawMenuBar.USER32 ref: 00C23D63

Strings

0, xrefs: 00C23C54
F, xrefs: 00C23D4E

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 813d7820d0ea94a2456f184569d8c4bca540525322d43e277a36a64c57736b79
Instruction ID: 59029beedf726f11cb018bafd15ac4f5423262b18655185b93d451d04c3d02d6
Opcode Fuzzy Hash: 813d7820d0ea94a2456f184569d8c4bca540525322d43e277a36a64c57736b79
Instruction Fuzzy Hash: 4A418778A11219AFDB24CF64E888BAE7BB5FF49350F140028F956A7360D774EA10DF94

Function 00BF1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00BF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BF3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00BF1F64
GetDlgCtrlID.USER32 ref: 00BF1F6F
GetParent.USER32 ref: 00BF1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BF1F8E
GetDlgCtrlID.USER32(?), ref: 00BF1F97
GetParent.USER32(?), ref: 00BF1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BF1FAE

Strings

ComboBox, xrefs: 00BF1EEC
ListBox, xrefs: 00BF1F21

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: e8d20146017fa0d7cf4008c2d6d2623193bef6bc49e3b73822b82acfa9861652
Instruction ID: 31aff3b37bf26d51d2aa3db014c6751779f184e5fc373532feafae45a5fc00f5
Opcode Fuzzy Hash: e8d20146017fa0d7cf4008c2d6d2623193bef6bc49e3b73822b82acfa9861652
Instruction Fuzzy Hash: AD21B074900218BBCF14EFA4CC95AFEBBF8EF15350F004599FA61A72A1CB345909DB60

Function 00BF1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00BF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BF3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00BF2043
GetDlgCtrlID.USER32 ref: 00BF204E
GetParent.USER32 ref: 00BF206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BF206D
GetDlgCtrlID.USER32(?), ref: 00BF2076
GetParent.USER32(?), ref: 00BF208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BF208D

Strings

ComboBox, xrefs: 00BF1FCD
ListBox, xrefs: 00BF2002

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 3ee87e255f1773366b51453471095861e1d96b8b1443a37c9777ffa6b31a1bba
Instruction ID: 8d7b99a4cc977889f11ffbdfd721dd5bf01640ebe601469303e84851fa3a4c0e
Opcode Fuzzy Hash: 3ee87e255f1773366b51453471095861e1d96b8b1443a37c9777ffa6b31a1bba
Instruction Fuzzy Hash: C0218E75900218BBCF14AFB4CC95AFEBBF8EB05340F00409ABA51A72A1DA755959DB60

Function 00C23A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C23A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C23AA0
GetWindowLongW.USER32(?,000000F0), ref: 00C23AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C23AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C23B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00C23BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00C23BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00C23BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00C23BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00C23C13

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: ac8787f9020b374ea882957d6e0aafff42ca669b363221fca753e149704ccf62
Instruction ID: 3b248e23b7ae153c550259469c189349d1725558c04e47439fc66786ff481866
Opcode Fuzzy Hash: ac8787f9020b374ea882957d6e0aafff42ca669b363221fca753e149704ccf62
Instruction Fuzzy Hash: 47616975900258AFDB20DFA8DC81FEE77F8EB09710F140199FA15A72A1D774AE41DB50

Function 00BFB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00BFB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00BFA1E1,?,00000001), ref: 00BFB165
GetWindowThreadProcessId.USER32(00000000), ref: 00BFB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BFA1E1,?,00000001), ref: 00BFB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BFB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00BFA1E1,?,00000001), ref: 00BFB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BFA1E1,?,00000001), ref: 00BFB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00BFA1E1,?,00000001), ref: 00BFB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00BFA1E1,?,00000001), ref: 00BFB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00BFA1E1,?,00000001), ref: 00BFB21D

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 3ce2b35c3ad96c836d91c1ed08f93a0f8cb2cf62ba13ddfcb4d03b353a7d6ec7
Instruction ID: 3e9fad6cbc756822a4b704e3de521f96b2015f314c427d10e22948020b22371f
Opcode Fuzzy Hash: 3ce2b35c3ad96c836d91c1ed08f93a0f8cb2cf62ba13ddfcb4d03b353a7d6ec7
Instruction Fuzzy Hash: DC316B75520208BFEB209F65DC88FBD7BA9FB61311F104055FA05D7190D7B89A498F60

Function 00BC2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BC2C94

Part of subcall function 00BC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000), ref: 00BC29DE
Part of subcall function 00BC29C8: GetLastError.KERNEL32(00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000,00000000), ref: 00BC29F0

_free.LIBCMT ref: 00BC2CA0
_free.LIBCMT ref: 00BC2CAB
_free.LIBCMT ref: 00BC2CB6
_free.LIBCMT ref: 00BC2CC1
_free.LIBCMT ref: 00BC2CCC
_free.LIBCMT ref: 00BC2CD7
_free.LIBCMT ref: 00BC2CE2
_free.LIBCMT ref: 00BC2CED
_free.LIBCMT ref: 00BC2CFB

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 19c81468e03af758510858ad8855e8e1c433a7d1dfadbe7982bcebf9b9052770
Instruction ID: b0cb16e32b4f84fb95c9b56d9828c35b3f85410d6db251085702261860eca1d0
Opcode Fuzzy Hash: 19c81468e03af758510858ad8855e8e1c433a7d1dfadbe7982bcebf9b9052770
Instruction Fuzzy Hash: 6C117476510108AFCB02EF54D982EDD3BA5FF05350F5145A9FA889F322DA71EE509B90

Function 00C07DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C07FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00C07FC1
GetFileAttributesW.KERNEL32(?), ref: 00C07FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00C08005
SetCurrentDirectoryW.KERNEL32(?), ref: 00C08017
SetCurrentDirectoryW.KERNEL32(?), ref: 00C08060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C080B0

Strings

*.*, xrefs: 00C08066

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 626bad22618edfb95e32f8f97a35f128ce9dfb2b7d92cada06bc5aaaf02bb0ae
Instruction ID: af27d65f77b1f3bbdd94955034293990bbb114104208f783d9a45b5d531b64b3
Opcode Fuzzy Hash: 626bad22618edfb95e32f8f97a35f128ce9dfb2b7d92cada06bc5aaaf02bb0ae
Instruction Fuzzy Hash: E181B4729082059FCB24DF15C444AAEB7D8BF84314F548D6EF8A5C7290EB35EE49CB52

Function 00B95BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00B95C7A

Part of subcall function 00B95D0A: GetClientRect.USER32(?,?), ref: 00B95D30
Part of subcall function 00B95D0A: GetWindowRect.USER32(?,?), ref: 00B95D71
Part of subcall function 00B95D0A: ScreenToClient.USER32(?,?), ref: 00B95D99

GetDC.USER32 ref: 00BD46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00BD4708
SelectObject.GDI32(00000000,00000000), ref: 00BD4716
SelectObject.GDI32(00000000,00000000), ref: 00BD472B
ReleaseDC.USER32(?,00000000), ref: 00BD4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00BD47C4

Strings

U, xrefs: 00BD4693

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 58ef6a625b22b31b27170045e644571f1e9497b59cb07af33d835a5b0b9c40f6
Instruction ID: 0263ad69e6e54a83e3969897dc40a749bf342c7c061cd12c04f2f21cef36b087
Opcode Fuzzy Hash: 58ef6a625b22b31b27170045e644571f1e9497b59cb07af33d835a5b0b9c40f6
Instruction Fuzzy Hash: D271AC31500205DFCF228F64C984AAABBF5FF4A361F1842AAED565A2A6E7319C41DF50

Function 00C0359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00C035E4

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

LoadStringW.USER32(00C62390,?,00000FFF,?), ref: 00C0360A

Strings

^ ERROR, xrefs: 00C036C9
"%s" (%d) : ==> %s:, xrefs: 00C03742
Error: , xrefs: 00C036EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00C03724
Line %d (File "%s"):, xrefs: 00C0366B

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: aae947922de600e390b9ed1f1a39041a562cc4387cbcaada2bf8d41c308dfbdf
Instruction ID: 65f60a87a65d92565039773c6318fcc8dd0e142e1859e1ad2e06303cf450ae18
Opcode Fuzzy Hash: aae947922de600e390b9ed1f1a39041a562cc4387cbcaada2bf8d41c308dfbdf
Instruction Fuzzy Hash: 29519F71800209BADF14EBA4CC82EEDBBB8EF14741F0841B9F515721A1EB711B99DFA0

Function 00C28B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA9BB2

Part of subcall function 00BA912D: GetCursorPos.USER32(?), ref: 00BA9141
Part of subcall function 00BA912D: ScreenToClient.USER32(00000000,?), ref: 00BA915E
Part of subcall function 00BA912D: GetAsyncKeyState.USER32(00000001), ref: 00BA9183
Part of subcall function 00BA912D: GetAsyncKeyState.USER32(00000002), ref: 00BA919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00C28B6B
ImageList_EndDrag.COMCTL32 ref: 00C28B71
ReleaseCapture.USER32 ref: 00C28B77
SetWindowTextW.USER32(?,00000000), ref: 00C28C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00C28C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00C28CFF

Strings

@GUI_DRAGFILE, xrefs: 00C28C9A
@GUI_DROPID, xrefs: 00C28C51

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 7284e67ebaccd43c79cf8f604e51a4f00409ef4115bceb4f54f5eebaa564eb90
Instruction ID: 768bed810208190d1e78dfc6afed18a034029dfa97214088dd44e390049be2ec
Opcode Fuzzy Hash: 7284e67ebaccd43c79cf8f604e51a4f00409ef4115bceb4f54f5eebaa564eb90
Instruction Fuzzy Hash: 22519A70109310AFDB14DF24DC96BAE77E4FB88711F04066DF996972E1CB709A48CBA2

Function 00C0C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C0C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C0C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C0C2CA
GetLastError.KERNEL32 ref: 00C0C322
SetEvent.KERNEL32(?), ref: 00C0C336
InternetCloseHandle.WININET(00000000), ref: 00C0C341

Strings

, xrefs: 00C0C2BB

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 47fe89977d842e4bf6c0c97271a4b4e85923d5ee5abf32306a742ff5920db312
Instruction ID: 4ef310b762c3fe27e7b62486f0e2ac8e930c4293a0a412ff6b3221aa4cdadc47
Opcode Fuzzy Hash: 47fe89977d842e4bf6c0c97271a4b4e85923d5ee5abf32306a742ff5920db312
Instruction Fuzzy Hash: 0D318BB1610608AFD7219FA588C8BAF7BFCEB49B44B10861EF456D2690DB34DE05DB60

Function 00BF989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00BD3AAF,?,?,Bad directive syntax error,00C2CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00BF98BC
LoadStringW.USER32(00000000,?,00BD3AAF,?), ref: 00BF98C3

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00BF9987

Strings

Line %d:, xrefs: 00BF9912
., xrefs: 00BF996D
Error: , xrefs: 00BF9955
Line %d (File "%s"):, xrefs: 00BF992D
%s (%d) : ==> %s.: %s %s, xrefs: 00BF98F1

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 1209a7967468472eceec881a31b3d8a499592ed7aa11f97529c1aac9721693e3
Instruction ID: d90c5dcbf8bce6b719d9cd50d5f1047db19553893667c4c96048ae6e4c13d228
Opcode Fuzzy Hash: 1209a7967468472eceec881a31b3d8a499592ed7aa11f97529c1aac9721693e3
Instruction Fuzzy Hash: 5E217E3184421EABCF11AF90CC46FFE77B5FF28701F0444AAF915620A2EB719658DB60

Function 00BF209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00BF20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00BF20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00BF214D

Strings

largeicons, xrefs: 00BF20E1
SHELLDLL_DefView, xrefs: 00BF20CC
smallicons, xrefs: 00BF2115
list, xrefs: 00BF212F
details, xrefs: 00BF20FB

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 697d90bc6f2119587f6c4c9c788cc401a6ebaf62ed3f50dfaec1475048634d12
Instruction ID: 207518184cc83db979ebe9cc46f9c321de40645fc8f00286be95d42bf170770a
Opcode Fuzzy Hash: 697d90bc6f2119587f6c4c9c788cc401a6ebaf62ed3f50dfaec1475048634d12
Instruction Fuzzy Hash: D111EB7A58470ABAFA116320DC1BDFA77DCDB05315B2001A5FB04B60D2EBA1994E551D

Function 00BC8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bab143d8c0679d38e63ed80b47e076ccb1250166bbc3cbce77bfc50288ea146
Instruction ID: 3a1cc1804ed215231c3be30e582331377ada46ef6a05d839763a7b2941e69001
Opcode Fuzzy Hash: 7bab143d8c0679d38e63ed80b47e076ccb1250166bbc3cbce77bfc50288ea146
Instruction Fuzzy Hash: D5C19D75A04249AFEB21DFA8D885FEDBBF0AF09310F1441DDF915A7292C7B09942CB61

Function 00BCCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00BCCEB7
_free.LIBCMT ref: 00BCCF22
_free.LIBCMT ref: 00BCCF48
_free.LIBCMT ref: 00BCCF71
_free.LIBCMT ref: 00BCCFA9
_free.LIBCMT ref: 00BCCFDA
_free.LIBCMT ref: 00BCD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00BCD09C
_free.LIBCMT ref: 00BCD0B5

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 8809621080fff82a3bbadccdcaa148c6bd5b0dee73411a89637d14aa25666d0d
Instruction ID: db3ada028faad74cb58fce526c1ab2c50472d4644dc846f63fe2b3ecfe5539ca
Opcode Fuzzy Hash: 8809621080fff82a3bbadccdcaa148c6bd5b0dee73411a89637d14aa25666d0d
Instruction Fuzzy Hash: 6E610371904201AFDB21AFB89891F6E7FE9EF15320F1442FDF949E7282D6719D058790

Function 00BA8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00BE6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00BE68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00BE68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00BE68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00BE68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00BA8874,00000000,00000000,00000000,000000FF,00000000), ref: 00BE6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00BE691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00BA8874,00000000,00000000,00000000,000000FF,00000000), ref: 00BE692D

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 0f583e1a7e6af8e30d14c9ee1976055d036ba83201ed7b33dd8616850a248e93
Instruction ID: 635b7964eee6fb3d1a1396ca647334baf21add00fccc52701ce3ef23110386bc
Opcode Fuzzy Hash: 0f583e1a7e6af8e30d14c9ee1976055d036ba83201ed7b33dd8616850a248e93
Instruction Fuzzy Hash: D751B770600209EFDB20CF25CC85BAE3BF5FB58360F140168F902976A0DB71E990DB60

Function 00C0C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C0C182
GetLastError.KERNEL32 ref: 00C0C195
SetEvent.KERNEL32(?), ref: 00C0C1A9

Part of subcall function 00C0C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C0C272
Part of subcall function 00C0C253: GetLastError.KERNEL32 ref: 00C0C322
Part of subcall function 00C0C253: SetEvent.KERNEL32(?), ref: 00C0C336
Part of subcall function 00C0C253: InternetCloseHandle.WININET(00000000), ref: 00C0C341

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: bcfe865b19227dc15c94583e07be3d7e916f8d6bc6a6208396c80bc5352a0d0b
Instruction ID: ad03fe18a71e64b293ce8a890baaa028a265af47b5585b00e3749e6182607fce
Opcode Fuzzy Hash: bcfe865b19227dc15c94583e07be3d7e916f8d6bc6a6208396c80bc5352a0d0b
Instruction Fuzzy Hash: 78318E71600601EFDB259FE5DD84B6ABBF8FF18300B00461DF96682A60DB30E915EBA0

Function 00BF25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BF3A57
Part of subcall function 00BF3A3D: GetCurrentThreadId.KERNEL32 ref: 00BF3A5E
Part of subcall function 00BF3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BF25B3), ref: 00BF3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00BF25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00BF25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00BF25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00BF25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00BF2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00BF2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00BF260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00BF2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00BF2627

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 02d15912ce309c829b469a609407797c6aab4e6beeb8529d63eff9a3c1fdb995
Instruction ID: 67bd7bd4099d3cd62a5af29084a09837980a73e1faf8601a7f2568fc52e893c6
Opcode Fuzzy Hash: 02d15912ce309c829b469a609407797c6aab4e6beeb8529d63eff9a3c1fdb995
Instruction Fuzzy Hash: A901D4303A0614BBFB2067699CCAF6D3F99DF4EB12F100001F328AF0D1C9E224598A69

Function 00BF1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00BF1449,?,?,00000000), ref: 00BF180C
HeapAlloc.KERNEL32(00000000,?,00BF1449,?,?,00000000), ref: 00BF1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BF1449,?,?,00000000), ref: 00BF1828
GetCurrentProcess.KERNEL32(?,00000000,?,00BF1449,?,?,00000000), ref: 00BF1830
DuplicateHandle.KERNEL32(00000000,?,00BF1449,?,?,00000000), ref: 00BF1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BF1449,?,?,00000000), ref: 00BF1843
GetCurrentProcess.KERNEL32(00BF1449,00000000,?,00BF1449,?,?,00000000), ref: 00BF184B
DuplicateHandle.KERNEL32(00000000,?,00BF1449,?,?,00000000), ref: 00BF184E
CreateThread.KERNEL32(00000000,00000000,00BF1874,00000000,00000000,00000000), ref: 00BF1868

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 04cd81023571ed22cb5cf925e1c8c92c753b46270a0b892101f313a89c1d2901
Instruction ID: 818289c5270633378a90656c8afbbde70ee7a888ea4e345c45445708170cb84c
Opcode Fuzzy Hash: 04cd81023571ed22cb5cf925e1c8c92c753b46270a0b892101f313a89c1d2901
Instruction Fuzzy Hash: 9D01BBB5650308BFE720ABA5DC8EF6F3BACEB89B11F104411FA05DB5A1CA709815CB60

Function 00C1A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00BFD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00BFD501
Part of subcall function 00BFD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00BFD50F
Part of subcall function 00BFD4DC: CloseHandle.KERNELBASE(00000000), ref: 00BFD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C1A16D
GetLastError.KERNEL32 ref: 00C1A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C1A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00C1A268
GetLastError.KERNEL32(00000000), ref: 00C1A273
CloseHandle.KERNEL32(00000000), ref: 00C1A2C4

Strings

SeDebugPrivilege, xrefs: 00C1A18F

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 0e828e0bb977be04452329608462eecf4a44a9982bbea7083cfbd2d532b88f1a
Instruction ID: f2294380728399f555aeead87866364e009ad502954e43394c50578b6e734c5c
Opcode Fuzzy Hash: 0e828e0bb977be04452329608462eecf4a44a9982bbea7083cfbd2d532b88f1a
Instruction Fuzzy Hash: 3061C431205241AFD720DF18C494F69BBE1AF45318F54849CE46A8BBA3C772ED89DB92

Function 00C23886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C23925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00C2393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C23954
_wcslen.LIBCMT ref: 00C23999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00C239C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C239F4

Strings

SysListView32, xrefs: 00C238F7

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 4ebe5d05ec445a12f6e37428ea97cfc0ac7524ed46a0f6180d2eea688ff6fc07
Instruction ID: 1581467f7fd6e6796b61dea3beafa1c33b9b364c8b81a40329f04aa2c5c1854e
Opcode Fuzzy Hash: 4ebe5d05ec445a12f6e37428ea97cfc0ac7524ed46a0f6180d2eea688ff6fc07
Instruction Fuzzy Hash: 1A41C571A00228ABDF21DF64DC45BEE7BA9EF08350F100526F954E7681D7759A84CB90

Function 00BFBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BFBCFD
IsMenu.USER32(00000000), ref: 00BFBD1D
CreatePopupMenu.USER32 ref: 00BFBD53
GetMenuItemCount.USER32(014252C0), ref: 00BFBDA4
InsertMenuItemW.USER32(014252C0,?,00000001,00000030), ref: 00BFBDCC

Strings

0, xrefs: 00BFBCA8
2, xrefs: 00BFBD37

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 747e4562226f2b4423ceb85d6d6f99987cd819cbd538f64af9a6a8039acecc32
Instruction ID: 335fd69e19f4ef6043416cc2339c938788d9b8efa579f1f0ed92acc6642beb50
Opcode Fuzzy Hash: 747e4562226f2b4423ceb85d6d6f99987cd819cbd538f64af9a6a8039acecc32
Instruction Fuzzy Hash: 75519E74A0020D9BDB20DFA8D8C4FBEBBF4EF45314F1441A9E61197290D7709949CB52

Function 00BFC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00BFC913

Strings

question, xrefs: 00BFC8CC
warning, xrefs: 00BFC8FC
stop, xrefs: 00BFC8E4
info, xrefs: 00BFC8B4
blank, xrefs: 00BFC895

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: f22bf4c9f0e44ca2ad125f09ceb0220ffa06f62028f912a6729664c29256cc2d
Instruction ID: bad570fa28325e93adddd12b916b46716e6a389ec5f23afe16ae9b92bcf82e9f
Opcode Fuzzy Hash: f22bf4c9f0e44ca2ad125f09ceb0220ffa06f62028f912a6729664c29256cc2d
Instruction Fuzzy Hash: 3D115E3568970EBBE7015710DDC2DFE6BDCDF15355B5040BAF600A7182D7F19E885268

Function 00BFDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00BFDE42
gethostname.WSOCK32(?,00000100), ref: 00BFDE5C
gethostbyname.WSOCK32(?), ref: 00BFDE69
inet_ntoa.WSOCK32(?), ref: 00BFDEAB
_strcat.LIBCMT ref: 00BFDEB9
WSACleanup.WSOCK32 ref: 00BFDEDE

Strings

0.0.0.0, xrefs: 00BFDE87

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 836e0b0d7aa495b1102c26b4f9e9a4f1f45b3dbde4a792dbc838eee41606cb72
Instruction ID: 1391675718963f1c718b69caf4625c7a3e29e722574c60e5f617cc072541681d
Opcode Fuzzy Hash: 836e0b0d7aa495b1102c26b4f9e9a4f1f45b3dbde4a792dbc838eee41606cb72
Instruction Fuzzy Hash: F311E431904119AFCB30AB609C8AFFE77EDEF11711F0101E9F6459B092EFB18A858A60

Function 00BED3A2 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00BED3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00BED3BF
FreeLibrary.KERNEL32(00000000), ref: 00BED3E5
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00BED3FC

Strings

X64, xrefs: 00BED2A8
kernel32.dll, xrefs: 00BED3A8
GetSystemWow64DirectoryW, xrefs: 00BED3B9

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: GetSystemWow64DirectoryW$X64$kernel32.dll
API String ID: 582185067-2904798639
Opcode ID: 135f090891cbe544519dcb9196b28e9cd07c6162dc32cea2e03b5f47be10dfe1
Instruction ID: 28e8c76da7a23200bb17a0e5693ea245a9b2748160ccee31302619a8ea4062ce
Opcode Fuzzy Hash: 135f090891cbe544519dcb9196b28e9cd07c6162dc32cea2e03b5f47be10dfe1
Instruction Fuzzy Hash: 2AF027319066659BC3319711CCD9BAD73B4AF00B01F8480D1F602F6040DBB0CD448AA4

Function 00C29F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA9BB2

GetSystemMetrics.USER32(0000000F), ref: 00C29FC7
GetSystemMetrics.USER32(0000000F), ref: 00C29FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00C2A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00C2A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00C2A263
ShowWindow.USER32(00000003,00000000), ref: 00C2A282
InvalidateRect.USER32(?,00000000,00000001), ref: 00C2A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00C2A2CA

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: fecffaa32fbc833d8a37e8825b41945622dde5476025801e7601d222c0f7a3d8
Instruction ID: 0f3f1376c97758edce3c5d79c7a2a8b8a07c69d6a50b420c1278160dc8ab9c4b
Opcode Fuzzy Hash: fecffaa32fbc833d8a37e8825b41945622dde5476025801e7601d222c0f7a3d8
Instruction Fuzzy Hash: A4B1EC30600225DFCF28CF68D9C47AE3BB2FF44711F088069EC59ABA95D731AA40CB61

Function 00BFED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00BFED2A
_wcslen.LIBCMT ref: 00BFED3B
_wcslen.LIBCMT ref: 00BFED79
_wcslen.LIBCMT ref: 00BFEDAF
_wcslen.LIBCMT ref: 00BFEDDF
_wcslen.LIBCMT ref: 00BFEDEF
_wcslen.LIBCMT ref: 00BFEE2B
_wcslen.LIBCMT ref: 00BFEE5A

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: cb7468467b3c35cc5ccee23b256bc2c2608663ec61a05c54da93faa7e60201ac
Instruction ID: 362a83d023ea8ac42cd91a2ff3e991045e16dd2c73dcf460a43768490c316d3a
Opcode Fuzzy Hash: cb7468467b3c35cc5ccee23b256bc2c2608663ec61a05c54da93faa7e60201ac
Instruction Fuzzy Hash: 8841C665C1011877DB11EBF4CC8A9EFB7E8AF45310F5084A6E614E3122FB78D649C3A5

Function 00BAF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00BE682C,00000004,00000000,00000000), ref: 00BAF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00BE682C,00000004,00000000,00000000), ref: 00BEF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00BE682C,00000004,00000000,00000000), ref: 00BEF454

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 3f84ed624b434b952ed85a2ce5b0013686ea72dcee736b405bf5757d809d5c1f
Instruction ID: 81d5501a7d940791206112b1c3e712f6e0ee3618830982a87fc61f513fc15110
Opcode Fuzzy Hash: 3f84ed624b434b952ed85a2ce5b0013686ea72dcee736b405bf5757d809d5c1f
Instruction Fuzzy Hash: 7841093160C682BAC7798BAA88C87BF7BE2EF57311F1844BDE04752A60C771E881C751

Function 00C22D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C22D1B
GetDC.USER32(00000000), ref: 00C22D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C22D2E
ReleaseDC.USER32(00000000,00000000), ref: 00C22D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C22D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C22D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C25A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00C22DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C22DE1

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 97e0589051d226b4dcf2f45dba77375200521d398bfeced641ee27f20b5b237a
Instruction ID: 69107b4df09cbdb4df01ae39226f3866c284c01d6a9fba1c174e1c237e289a74
Opcode Fuzzy Hash: 97e0589051d226b4dcf2f45dba77375200521d398bfeced641ee27f20b5b237a
Instruction Fuzzy Hash: 19319872211224BFEB218F50DC8AFEF3BA9EF09711F044065FE089A691C6759C51CBA4

Function 00BF5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00BF5637
_memcmp.LIBVCRUNTIME ref: 00BF5659
_memcmp.LIBVCRUNTIME ref: 00BF5671
_memcmp.LIBVCRUNTIME ref: 00BF5684
_memcmp.LIBVCRUNTIME ref: 00BF569E
_memcmp.LIBVCRUNTIME ref: 00BF56B1
_memcmp.LIBVCRUNTIME ref: 00BF56C9
_memcmp.LIBVCRUNTIME ref: 00BF56E4

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a91bee3187691954f064cef97df32b82703288373873bb00501c3fbf358efe04
Instruction ID: 09a03ddda14a7814ad6419c0b42b467773f9f4b482443481a2157148547f4177
Opcode Fuzzy Hash: a91bee3187691954f064cef97df32b82703288373873bb00501c3fbf358efe04
Instruction Fuzzy Hash: DC21C561644A1D77D6346A249D92FFA23DCEF20384F8400B4FF15DBA81F760ED1982A9

Function 00C14FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00C15007
NULL Pointer assignment, xrefs: 00C1502E, 00C15383

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 9b3392dd234926eb0bf7c73a01338cf4837c6f041bea786ce4f8570c3b4552f0
Instruction ID: f338cce49b65cba6a7dfcfa18d376d64cca2f56728909a0b05cc4887e7044731
Opcode Fuzzy Hash: 9b3392dd234926eb0bf7c73a01338cf4837c6f041bea786ce4f8570c3b4552f0
Instruction Fuzzy Hash: 14D1B475A0060AEFDF10CF98C880BEEB7B5BF89344F148069E925AB291D770DE85DB50

Function 00BD1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00BD17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00BD15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BD17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BD1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00BD17FB,?,00BD17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BD16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BD17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BD16FB

Part of subcall function 00BC3820: RtlAllocateHeap.NTDLL(00000000,?,00C61444,?,00BAFDF5,?,?,00B9A976,00000010,00C61440,00B913FC,?,00B913C6,?,00B91129), ref: 00BC3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00BD17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BD1777
__freea.LIBCMT ref: 00BD17A2
__freea.LIBCMT ref: 00BD17AE

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 94acc2d7c54be0f93cd17088f5b43f99250dfc5127ebe9f71dce4fe88eadfe7d
Instruction ID: 3b488c6dca4f4a94f8cd488146499194aa6a234ca36f2f6c48eaec7b37ffb1c5
Opcode Fuzzy Hash: 94acc2d7c54be0f93cd17088f5b43f99250dfc5127ebe9f71dce4fe88eadfe7d
Instruction Fuzzy Hash: DC91B371E00216BADB208E68D881AEEFBF5EF59714F184A9AE805E7351F739DD40C760

Function 00C14523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C14648
VariantInit.OLEAUT32(?), ref: 00C14749
VariantClear.OLEAUT32(?), ref: 00C14753
VariantClear.OLEAUT32(?), ref: 00C147B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00C1472C
Null Object assignment in FOR..IN loop, xrefs: 00C145D8, 00C14706, 00C147BE

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 98d53cff8652523cfaff255d4c0e3e3eb1c1a49dd8c7d8f06afa0a0229e15b7d
Instruction ID: 4022fa66962fd2d06c797abe4d9813345a5fd947a6c16574a883eb784fca6b84
Opcode Fuzzy Hash: 98d53cff8652523cfaff255d4c0e3e3eb1c1a49dd8c7d8f06afa0a0229e15b7d
Instruction Fuzzy Hash: 8F91A271A00215AFDF24CFA5C844FEEBBB8EF46714F108559F515AB280D7709985DFA0

Function 00C01187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00C0125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00C01284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00C012A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C012D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C0135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C013C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C01430

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 57db4414c0953e6000ed34591f42ef51f69b82d14ededd2647d51d50a1e85c14
Instruction ID: 6881d29b594d2fe47b4fc046d6b16cf90e08594eace224b17490371d12fca434
Opcode Fuzzy Hash: 57db4414c0953e6000ed34591f42ef51f69b82d14ededd2647d51d50a1e85c14
Instruction Fuzzy Hash: B191CE71A00219AFEB00DFA4C884BBEB7F5FF45724F294069E951EB2E1D774A941CB90

Function 00BA948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: dfa3c618c25b3bcf4eecc6337ee7026ea79145ed51025fb72e23439358b74d3f
Instruction ID: a08f7290d3590082616abde7ac733ba9cd7e7a83639b3c1d921a4701ad7e5080
Opcode Fuzzy Hash: dfa3c618c25b3bcf4eecc6337ee7026ea79145ed51025fb72e23439358b74d3f
Instruction Fuzzy Hash: C7914471D44219EFCB14CFA9C885AEEBBF8FF4A320F148089E515B7251D734AA42DB60

Function 00C13947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C1396B
CharUpperBuffW.USER32(?,?), ref: 00C13A7A
_wcslen.LIBCMT ref: 00C13A8A
VariantClear.OLEAUT32(?), ref: 00C13C1F

Part of subcall function 00C00CDF: VariantInit.OLEAUT32(00000000), ref: 00C00D1F
Part of subcall function 00C00CDF: VariantCopy.OLEAUT32(?,?), ref: 00C00D28
Part of subcall function 00C00CDF: VariantClear.OLEAUT32(?), ref: 00C00D34

Strings

AUTOIT.ERROR, xrefs: 00C13A80, 00C13A85
Incorrect Parameter format, xrefs: 00C139A6, 00C13BA1

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: de0613497fb855d559c3c04c1747496a98cf3a2bb2e66e6c99051b4633eb66d7
Instruction ID: aeb212077f384805778174ab6e1848df173822ae85a2cb599ca018832493b632
Opcode Fuzzy Hash: de0613497fb855d559c3c04c1747496a98cf3a2bb2e66e6c99051b4633eb66d7
Instruction Fuzzy Hash: 57918E746083459FCB04DF64C4909AAB7E4FF89318F14896DF89997351DB30EE45DB82

Function 00C14BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00BF000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BEFF41,80070057,?,?,?,00BF035E), ref: 00BF002B
Part of subcall function 00BF000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BEFF41,80070057,?,?), ref: 00BF0046
Part of subcall function 00BF000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BEFF41,80070057,?,?), ref: 00BF0054
Part of subcall function 00BF000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BEFF41,80070057,?), ref: 00BF0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00C14C51
_wcslen.LIBCMT ref: 00C14D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00C14DCF
CoTaskMemFree.OLE32(?), ref: 00C14DDA

Strings

NULL Pointer assignment, xrefs: 00C14E23, 00C14E52

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 41612fba3be0a14d159a5fabf8c0dcbe49ecaf26fab93d6a4e226d678cabada2
Instruction ID: a9f339ca26310278a0d6c2a662fb1810ebcbca56a762c3a0f592832efd5bcf08
Opcode Fuzzy Hash: 41612fba3be0a14d159a5fabf8c0dcbe49ecaf26fab93d6a4e226d678cabada2
Instruction Fuzzy Hash: F5912A71D0021DEFDF14DFA4D891AEEB7B9BF09310F108169E915A7291DB309A85DFA0

Function 00C220FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00C22183
GetMenuItemCount.USER32(00000000), ref: 00C221B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C221DD
_wcslen.LIBCMT ref: 00C22213
GetMenuItemID.USER32(?,?), ref: 00C2224D
GetSubMenu.USER32(?,?), ref: 00C2225B

Part of subcall function 00BF3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BF3A57
Part of subcall function 00BF3A3D: GetCurrentThreadId.KERNEL32 ref: 00BF3A5E
Part of subcall function 00BF3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BF25B3), ref: 00BF3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C222E3

Part of subcall function 00BFE97B: Sleep.KERNEL32 ref: 00BFE9F3

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 6642e5941aee96013774eca2209c6d9c839c2be73e10a84d874f6911d0a864f2
Instruction ID: ab3aeb6b89534e05eef7ebadfe13fa8b903c9e375212fde4279075e146622ffb
Opcode Fuzzy Hash: 6642e5941aee96013774eca2209c6d9c839c2be73e10a84d874f6911d0a864f2
Instruction Fuzzy Hash: 7271B235A00215EFCB10DFA5D881AAEB7F1EF48320F1184A9E826EB751D735EE418B90

Function 00C27E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01425428), ref: 00C27F37
IsWindowEnabled.USER32(01425428), ref: 00C27F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00C2801E
SendMessageW.USER32(01425428,000000B0,?,?), ref: 00C28051
IsDlgButtonChecked.USER32(?,?), ref: 00C28089
GetWindowLongW.USER32(01425428,000000EC), ref: 00C280AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00C280C3

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 990bb1e51c8eff99a48e3fb08bf9009741a1fef783ac37db37476041fe92c352
Instruction ID: a13ce990df17ed75d597d6ba105af579aa40c8de2636d4750dce1b512c69852b
Opcode Fuzzy Hash: 990bb1e51c8eff99a48e3fb08bf9009741a1fef783ac37db37476041fe92c352
Instruction Fuzzy Hash: 4571B03460D224AFEB30DF94E9C4FAE7BB5EF09300F140159F96593AA1CB31AA45DB20

Function 00BFAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00BFAEF9
GetKeyboardState.USER32(?), ref: 00BFAF0E
SetKeyboardState.USER32(?), ref: 00BFAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00BFAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00BFAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00BFAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00BFB020

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2c1a6291f3f9f1981ae851a2f368923babb506f41861bb39b51c8694ca5f9f2d
Instruction ID: f41b7f06abb17b4f6180c04aa6bf2c3f66252e40758d8030aa1e75495a216f38
Opcode Fuzzy Hash: 2c1a6291f3f9f1981ae851a2f368923babb506f41861bb39b51c8694ca5f9f2d
Instruction Fuzzy Hash: 7651B4E06147D93DFB364234CC45BBA7EE99B06304F0885C9E2D99A8C2C798A8CCD751

Function 00BFACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00BFAD19
GetKeyboardState.USER32(?), ref: 00BFAD2E
SetKeyboardState.USER32(?), ref: 00BFAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00BFADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00BFADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00BFAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00BFAE38

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7a638c63a224676e7ac167f52e69f67fe648db8449e2e4b59fe4101841a3f1b0
Instruction ID: 4ba0b17b3fdadadb91cfe0a3b9c31a9ffd0313cff35889563e57abc673693f30
Opcode Fuzzy Hash: 7a638c63a224676e7ac167f52e69f67fe648db8449e2e4b59fe4101841a3f1b0
Instruction Fuzzy Hash: 0551D3E15047D93DFB3A8224CC85B7ABEE9AB46300F0884D8E2D9578C2C294EC8CD752

Function 00BC542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00BD3CD6,?,?,?,?,?,?,?,?,00BC5BA3,?,?,00BD3CD6,?,?), ref: 00BC5470
__fassign.LIBCMT ref: 00BC54EB
__fassign.LIBCMT ref: 00BC5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00BD3CD6,00000005,00000000,00000000), ref: 00BC552C
WriteFile.KERNEL32(?,00BD3CD6,00000000,00BC5BA3,00000000,?,?,?,?,?,?,?,?,?,00BC5BA3,?), ref: 00BC554B
WriteFile.KERNEL32(?,?,00000001,00BC5BA3,00000000,?,?,?,?,?,?,?,?,?,00BC5BA3,?), ref: 00BC5584

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4358f30a991ac3c346f084c258e32c1dfd51e08c7314a36bbade3732888772c5
Instruction ID: 41fab33328469cb149b5552aaed6ff30d1b56c7d140b15be42aff347304f49b4
Opcode Fuzzy Hash: 4358f30a991ac3c346f084c258e32c1dfd51e08c7314a36bbade3732888772c5
Instruction Fuzzy Hash: 0351B571A006099FDB20CFA8D885FEEBBF5EF18300F14455EE555E7291D670AA81CB60

Function 00BB2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00BB2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00BB2D53
_ValidateLocalCookies.LIBCMT ref: 00BB2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00BB2E0C
_ValidateLocalCookies.LIBCMT ref: 00BB2E61

Strings

csm, xrefs: 00BB2DF6

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 3dc68b1c62fff48ed33d1c6ba48bbe7b425a4fe7b4ed42b0ef20de3ae9efd847
Instruction ID: adbfe197067139e97f84f742061b23f7b99f05d7f31d671f90f12f124ed34c8e
Opcode Fuzzy Hash: 3dc68b1c62fff48ed33d1c6ba48bbe7b425a4fe7b4ed42b0ef20de3ae9efd847
Instruction Fuzzy Hash: EE419334A00209ABCF10DF68CC85AEEBBF5FF45324F1481A5E8156B392D7B1EA55CB91

Function 00C110B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C1304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C1307A
Part of subcall function 00C1304E: _wcslen.LIBCMT ref: 00C1309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C11112
WSAGetLastError.WSOCK32 ref: 00C11121
WSAGetLastError.WSOCK32 ref: 00C111C9
closesocket.WSOCK32(00000000), ref: 00C111F9

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 34e71193165c04f9636a74cd9e124e94b787e4ff2f65f84d8adc9f2aaebc5a0c
Instruction ID: fe0f0f6c7bebd645e5c8497a2d436564b701d3fb5c700b76a5b4497ce032bc87
Opcode Fuzzy Hash: 34e71193165c04f9636a74cd9e124e94b787e4ff2f65f84d8adc9f2aaebc5a0c
Instruction Fuzzy Hash: 7341D631600204AFDB109F14C884BEDBBE9EF46324F288059FE199B291D774EE85DBE1

Function 00BFCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BFDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BFCF22,?), ref: 00BFDDFD

Part of subcall function 00BFDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BFCF22,?), ref: 00BFDE16

lstrcmpiW.KERNEL32(?,?), ref: 00BFCF45
MoveFileW.KERNEL32(?,?), ref: 00BFCF7F
_wcslen.LIBCMT ref: 00BFD005
_wcslen.LIBCMT ref: 00BFD01B
SHFileOperationW.SHELL32(?), ref: 00BFD061

Strings

\*.*, xrefs: 00BFCFF3

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: ffaad991d683698554700487c1e5709b6f0607e2b3bd86c659856e60f81a3b72
Instruction ID: 2d220250545192251878ee6edd536edd69abe22b35ede4926d4c29ab27a89e6d
Opcode Fuzzy Hash: ffaad991d683698554700487c1e5709b6f0607e2b3bd86c659856e60f81a3b72
Instruction Fuzzy Hash: EE41247194521D5FDF12EBA4CA81AFDB7F9EF08340F1000E6E605E7151EA34A68DCB50

Function 00C22DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00C22E1C
GetWindowLongW.USER32(?,000000F0), ref: 00C22E4F
GetWindowLongW.USER32(?,000000F0), ref: 00C22E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00C22EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00C22EE0
GetWindowLongW.USER32(?,000000F0), ref: 00C22EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C22F0B

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a98a00ba94b1538486a5dbf820e27ce0612489b2559688bd0a7a9502342aceca
Instruction ID: f1118e5641dcce325a5a75291df76183e5021317bbed51a2e4dba01ed74376a8
Opcode Fuzzy Hash: a98a00ba94b1538486a5dbf820e27ce0612489b2559688bd0a7a9502342aceca
Instruction Fuzzy Hash: D1310730614160AFDB21CF59EC84F6937E1EB5A722F1A0164F9118F6B1CBB1AD41EF41

Function 00BF7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BF7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BF778F
SysAllocString.OLEAUT32(00000000), ref: 00BF7792
SysAllocString.OLEAUT32(?), ref: 00BF77B0
SysFreeString.OLEAUT32(?), ref: 00BF77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00BF77DE
SysAllocString.OLEAUT32(?), ref: 00BF77EC

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b4be31174fbd7d761b49e4c69313b8bab78f679cda55c9b7a97fd593ffa39cd9
Instruction ID: c3922882b0ca5ce88b7d1b96933c99775a2ced329b8961344bd48b9441117721
Opcode Fuzzy Hash: b4be31174fbd7d761b49e4c69313b8bab78f679cda55c9b7a97fd593ffa39cd9
Instruction Fuzzy Hash: 9D219176618219AFDB10AFA8CC88EFF73ECEB0936471080A5FA04DB150DA709C458BA0

Function 00BF77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BF7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BF7868
SysAllocString.OLEAUT32(00000000), ref: 00BF786B
SysAllocString.OLEAUT32 ref: 00BF788C
SysFreeString.OLEAUT32 ref: 00BF7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00BF78AF
SysAllocString.OLEAUT32(?), ref: 00BF78BD

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 46ab71a1ea532dd67f194088b752424f7ee79986fd6e9ba58a496a5fc125299b
Instruction ID: 58c91919384e973fe2bf8cff9d260b6b4512c1dd3cdae6c1157fd3c7838a197b
Opcode Fuzzy Hash: 46ab71a1ea532dd67f194088b752424f7ee79986fd6e9ba58a496a5fc125299b
Instruction Fuzzy Hash: A2216531608108AFDB10AFA9DCCDEBE77ECEB0976071081A5FA15CB1A1DA74DC45CB64

Function 00C004D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00C004F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C0052E

Strings

nul, xrefs: 00C00567

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 064882ea09933d741811e3ef71521292f1c4084cfaa7d9ddd556bc07f4d9cd06
Instruction ID: bf3e6ad87fbd92a36479ad3ae5ff3254335337130461569c6582c78341eb7e86
Opcode Fuzzy Hash: 064882ea09933d741811e3ef71521292f1c4084cfaa7d9ddd556bc07f4d9cd06
Instruction Fuzzy Hash: A4218975600305ABDB208F29DC45B9E7BB4AF44724F314A29F8B1E72E0E7709A41CF24

Function 00C005A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C005C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C00601

Strings

nul, xrefs: 00C00639

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3cdd04386e2fdad167e18e7f1157dbe1e6f34608445506c717cafe2157527c12
Instruction ID: 41a15f8a8f4f3ddf9d00e87a60eb565b2d2ec045bb2ed22ee3a49f058193bb32
Opcode Fuzzy Hash: 3cdd04386e2fdad167e18e7f1157dbe1e6f34608445506c717cafe2157527c12
Instruction Fuzzy Hash: 93219C35500305DBDB208F699C44B9E77A9AF85721F310A19FCB1E32E0DBB19A61CB20

Function 00C240AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B9600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B9604C
Part of subcall function 00B9600E: GetStockObject.GDI32(00000011), ref: 00B96060
Part of subcall function 00B9600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B9606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C24112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C2411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C2412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C24139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C24145

Strings

Msctls_Progress32, xrefs: 00C240E3

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8af7d1786a8d3aa6fe6c945260deb022558baba4288ca64b1a0d1ba3833df837
Instruction ID: 755df8cea8ec303fd693ce208237bb67282974b989ac53a50980b5fd87621127
Opcode Fuzzy Hash: 8af7d1786a8d3aa6fe6c945260deb022558baba4288ca64b1a0d1ba3833df837
Instruction Fuzzy Hash: 6411B6B11502297FEF218F64DC85EEB7F5DEF09798F014110FA18A2090C7729C61DBA4

Function 00BCD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BCD7A3: _free.LIBCMT ref: 00BCD7CC

_free.LIBCMT ref: 00BCD82D

Part of subcall function 00BC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000), ref: 00BC29DE
Part of subcall function 00BC29C8: GetLastError.KERNEL32(00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000,00000000), ref: 00BC29F0

_free.LIBCMT ref: 00BCD838
_free.LIBCMT ref: 00BCD843
_free.LIBCMT ref: 00BCD897
_free.LIBCMT ref: 00BCD8A2
_free.LIBCMT ref: 00BCD8AD
_free.LIBCMT ref: 00BCD8B8

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ee21a4db04849bb884b43d00282d0704cdb3e9cd92275e43dac9d32a70570e54
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: E6112E75640B04AAD621BFB0CC47FCB7BDCAF04700F40587EB29DA6992DA75B9058660

Function 00BFDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00BFDA74
LoadStringW.USER32(00000000), ref: 00BFDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00BFDA91
LoadStringW.USER32(00000000), ref: 00BFDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00BFDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00BFDAB9

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: e3c37b718f3c327c836ad7cf4b7f09d9ee9e473bdfc34aec08adf9a7e9752026
Instruction ID: b823ba0f75378217d343907cbd64bfbd5b24df155e43f8c9fa85a4a2d50f782a
Opcode Fuzzy Hash: e3c37b718f3c327c836ad7cf4b7f09d9ee9e473bdfc34aec08adf9a7e9752026
Instruction Fuzzy Hash: 2E0162F65002087FE7109BA49DC9FFF326CEB08701F4004A6B706E2041EA749E854F74

Function 00C0096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0141E388,0141E388), ref: 00C0097B
EnterCriticalSection.KERNEL32(0141E368,00000000), ref: 00C0098D
TerminateThread.KERNEL32(?,000001F6), ref: 00C0099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00C009A9
CloseHandle.KERNEL32(?), ref: 00C009B8
InterlockedExchange.KERNEL32(0141E388,000001F6), ref: 00C009C8
LeaveCriticalSection.KERNEL32(0141E368), ref: 00C009CF

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: a46f6440fdddd6191287ee63341d11ef9ba5ce9c9c00f9357ed8730354aaf81a
Instruction ID: eaf20f2f5ea8a6fc0de0361839271467a05f6e87f0327043466275ef98f8e670
Opcode Fuzzy Hash: a46f6440fdddd6191287ee63341d11ef9ba5ce9c9c00f9357ed8730354aaf81a
Instruction Fuzzy Hash: FCF01D31452902EBD7615B94EEC9BDE7A25BF01702F501015F10150CA1CB749576CF90

Function 00C11C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C11DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C11DE1
WSAGetLastError.WSOCK32 ref: 00C11DF2
htons.WSOCK32(?,?,?,?,?), ref: 00C11EDB
inet_ntoa.WSOCK32(?), ref: 00C11E8C

Part of subcall function 00BF39E8: _strlen.LIBCMT ref: 00BF39F2

Part of subcall function 00C13224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00C0EC0C), ref: 00C13240

_strlen.LIBCMT ref: 00C11F35

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: d5c7099aae0646e9b2a73ca02ee4ef91618c1eb86f1c942705dbe7c714dee9bc
Instruction ID: fbd57037166f0d59859a6f86f84e2f2b44a3cccac8401af45466f4e3854af844
Opcode Fuzzy Hash: d5c7099aae0646e9b2a73ca02ee4ef91618c1eb86f1c942705dbe7c714dee9bc
Instruction Fuzzy Hash: B1B12931104340AFC724DF64C895F6A77E5AF86318F58859CF9664B2E2CB31EE86CB91

Function 00B95D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00B95D30
GetWindowRect.USER32(?,?), ref: 00B95D71
ScreenToClient.USER32(?,?), ref: 00B95D99
GetClientRect.USER32(?,?), ref: 00B95ED7
GetWindowRect.USER32(?,?), ref: 00B95EF8

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 900bf379277dca205fa54074bbdb8a370b8b3010313ba279577d7981a555dc20
Instruction ID: dce414ac288cb92e99739109736439724624a13c9c62bc562dbe66fc36cecb3b
Opcode Fuzzy Hash: 900bf379277dca205fa54074bbdb8a370b8b3010313ba279577d7981a555dc20
Instruction Fuzzy Hash: 02B16D35A00A4ADBDF24CFA9C4807EEB7F1FF48310F14846AE8A9D7250E734AA51DB50

Function 00BC01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00BC00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BC00D6
__allrem.LIBCMT ref: 00BC00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BC010B
__allrem.LIBCMT ref: 00BC0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BC0140

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 5d51b83895bbd1a40ddc650a86e1b8ea11c823ef1893808d86209ed3800c8ebe
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: FC81C671601706DBE724AF68CC82FBAB3E9EF41764F2445BEF551D6681E7B0D9008750

Function 00BC61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00BB82D9,00BB82D9,?,?,?,00BC644F,00000001,00000001,8BE85006), ref: 00BC6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00BC644F,00000001,00000001,8BE85006,?,?,?), ref: 00BC62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00BC63D8
__freea.LIBCMT ref: 00BC63E5

Part of subcall function 00BC3820: RtlAllocateHeap.NTDLL(00000000,?,00C61444,?,00BAFDF5,?,?,00B9A976,00000010,00C61440,00B913FC,?,00B913C6,?,00B91129), ref: 00BC3852

__freea.LIBCMT ref: 00BC63EE
__freea.LIBCMT ref: 00BC6413

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 927abd99e43436ad00ccdb55967fc0f587c4f166218af4fb6fd8b933379cd6df
Instruction ID: 59ff2982ec3c3ee37bc1081259fc0653cf5ea3a26ea6655c1c903561935501f1
Opcode Fuzzy Hash: 927abd99e43436ad00ccdb55967fc0f587c4f166218af4fb6fd8b933379cd6df
Instruction Fuzzy Hash: 8651AF72A10256ABEB258F68CC81FAF77E9EF84750F1546ADFC05DA181EB34DC40C664

Function 00C1BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00C1C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C1B6AE,?,?), ref: 00C1C9B5
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1C9F1
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1CA68
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C1BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C1BD25
RegCloseKey.ADVAPI32(00000000), ref: 00C1BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C1BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C1BDF3
RegCloseKey.ADVAPI32(?), ref: 00C1BDFF

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: fa802954a13cbb5d5394411ac775ab325bd2e07e6790d555e32d919d404a7f44
Instruction ID: ba10ba7e1b8488c9148e9b7da0d27ec692efccf02029ce2d55e16dc6f7408a8a
Opcode Fuzzy Hash: fa802954a13cbb5d5394411ac775ab325bd2e07e6790d555e32d919d404a7f44
Instruction Fuzzy Hash: A6815D30218241AFD714DF24C895E6ABBE5FF85308F1485ACF4554B2A2DB31ED45DF92

Function 00BEF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00BEF7B9
SysAllocString.OLEAUT32(00000001), ref: 00BEF860
VariantCopy.OLEAUT32(00BEFA64,00000000), ref: 00BEF889
VariantClear.OLEAUT32(00BEFA64), ref: 00BEF8AD
VariantCopy.OLEAUT32(00BEFA64,00000000), ref: 00BEF8B1
VariantClear.OLEAUT32(?), ref: 00BEF8BB

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 6c7eb956c3df60d60b85cb2e6073e6cbe0e973a75d7e38d504d9824d6fa3d870
Instruction ID: ca28fd79656d062224d2ab79ebbc4142f441b7c9c7a1e2e2c3dae9aeebf8b400
Opcode Fuzzy Hash: 6c7eb956c3df60d60b85cb2e6073e6cbe0e973a75d7e38d504d9824d6fa3d870
Instruction Fuzzy Hash: D351B435510352EADF20AB66D8D5B39B3E8EF45310B2494F6E806DF292DB70CC40CB96

Function 00C0910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00B97620: _wcslen.LIBCMT ref: 00B97625

Part of subcall function 00B96B57: _wcslen.LIBCMT ref: 00B96B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00C094E5
_wcslen.LIBCMT ref: 00C09506
_wcslen.LIBCMT ref: 00C0952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00C09585

Strings

X, xrefs: 00C09412

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 41dee99cd3c6a218a51b9087b42eb31e2cb6743d78555c2c0ad329845602a6ef
Instruction ID: 6cf4ec2571625900f173dd9e1f91293205dd9f6063d49262eccfaf3748ae83c8
Opcode Fuzzy Hash: 41dee99cd3c6a218a51b9087b42eb31e2cb6743d78555c2c0ad329845602a6ef
Instruction Fuzzy Hash: 66E17D715083019FDB24DF25C881B6AB7E4FF85314F1489ADF8999B2A2DB31DE05CB92

Function 00BA920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00BA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA9BB2

BeginPaint.USER32(?,?,?), ref: 00BA9241
GetWindowRect.USER32(?,?), ref: 00BA92A5
ScreenToClient.USER32(?,?), ref: 00BA92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00BA92D3
EndPaint.USER32(?,?,?,?,?), ref: 00BA9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00BE71EA

Part of subcall function 00BA9339: BeginPath.GDI32(00000000), ref: 00BA9357

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 82c67db3aa03dbecca526d3a3e3d543853680aa56b6266cdbc12fb3aef93266f
Instruction ID: 7cef895a7425d662b0b68926518569bd9fe58623d8935ab654c2d7195fdcb16a
Opcode Fuzzy Hash: 82c67db3aa03dbecca526d3a3e3d543853680aa56b6266cdbc12fb3aef93266f
Instruction Fuzzy Hash: D041A070108300AFDB20DF25D8C5FAA7BF8EF46721F1802A9F954971A1CB719845EB62

Function 00C007EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00C0080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00C00847
EnterCriticalSection.KERNEL32(?), ref: 00C00863
LeaveCriticalSection.KERNEL32(?), ref: 00C008DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00C008F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00C00921

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: f7aef474913f14cc9db89948635225159b3bfcbcd6f5afa93817a9148023b27f
Instruction ID: e099e91953c5e838dd631f6643ed74f99c8f7eee1476bd42a7afd190c4e965bd
Opcode Fuzzy Hash: f7aef474913f14cc9db89948635225159b3bfcbcd6f5afa93817a9148023b27f
Instruction Fuzzy Hash: 87414A71900205EBDF14AF94DC85BAE77B9FF04310F1580A5ED00AA29BDB30EE65DBA4

Function 00C281DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00BEF3AB,00000000,?,?,00000000,?,00BE682C,00000004,00000000,00000000), ref: 00C2824C
EnableWindow.USER32(?,00000000), ref: 00C28272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00C282D1
ShowWindow.USER32(?,00000004), ref: 00C282E5
EnableWindow.USER32(?,00000001), ref: 00C2830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00C2832F

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: a8f60df052547d4da34e3d00242687ac385d3a7a3edd1049cee6c299be1baf32
Instruction ID: d722211cd657fcb80eedbcc95a54c22f337281a0401dd91ae22e9dbec53ca3f5
Opcode Fuzzy Hash: a8f60df052547d4da34e3d00242687ac385d3a7a3edd1049cee6c299be1baf32
Instruction Fuzzy Hash: 6441C530602654EFDF21CF15E899BE87BE0FB0A715F1C4169E9184B672CB71A949CF50

Function 00BF4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00BF4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00BF4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00BF4CEA
_wcslen.LIBCMT ref: 00BF4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00BF4D10
_wcsstr.LIBVCRUNTIME ref: 00BF4D1A

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 6ff24d98c3fb314841eba91557da2d25adee08860abf34c563ac7809b05d33c9
Instruction ID: 19cd65ad9bbcaa888b5a784bb0108c4be37a7db8beaa25fe5cb55aed6cf42cea
Opcode Fuzzy Hash: 6ff24d98c3fb314841eba91557da2d25adee08860abf34c563ac7809b05d33c9
Instruction Fuzzy Hash: E021D7352042057BEB255B699C89F7F7BD8DF45750F1040B9F905CB191DB61DC0596A0

Function 00C0581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B93AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B93A97,?,?,00B92E7F,?,?,?,00000000), ref: 00B93AC2

_wcslen.LIBCMT ref: 00C0587B
CoInitialize.OLE32(00000000), ref: 00C05995
CoCreateInstance.OLE32(00C2FCF8,00000000,00000001,00C2FB68,?), ref: 00C059AE
CoUninitialize.OLE32 ref: 00C059CC

Strings

.lnk, xrefs: 00C05876, 00C058C1, 00C05985

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: f30c67d709c6b662fdc239098766925eec848d6553eb5dcd4fc1eb887d135d19
Instruction ID: 46b9d230d46bf2bf60252bff5aa2c1a9a6c1c61893e056e30df2bdad8c7b3ae8
Opcode Fuzzy Hash: f30c67d709c6b662fdc239098766925eec848d6553eb5dcd4fc1eb887d135d19
Instruction Fuzzy Hash: 44D165756086019FCB14DF14C480A2BBBE5EF89710F1588ADF8999B3A1DB31ED46CF92

Function 00BF175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BF0FCA
Part of subcall function 00BF0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BF0FD6
Part of subcall function 00BF0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BF0FE5
Part of subcall function 00BF0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BF0FEC
Part of subcall function 00BF0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BF1002

GetLengthSid.ADVAPI32(?,00000000,00BF1335), ref: 00BF17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00BF17BA
HeapAlloc.KERNEL32(00000000), ref: 00BF17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00BF17DA
GetProcessHeap.KERNEL32(00000000,00000000,00BF1335), ref: 00BF17EE
HeapFree.KERNEL32(00000000), ref: 00BF17F5

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: e8c9c6b86a6ca3fa8ff6a44caf83b982ed78fa4c1cbb3110d84ae7e85ee2fc1f
Instruction ID: 85dee16ccf0dc1b96752017a76f06da7d87870b3be015ea319f11683f359b818
Opcode Fuzzy Hash: e8c9c6b86a6ca3fa8ff6a44caf83b982ed78fa4c1cbb3110d84ae7e85ee2fc1f
Instruction Fuzzy Hash: 8211ACB1910209EFDB20EFA8CC8ABBF7BE9EB41355F104898F54597210C735AD59CB60

Function 00BF14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00BF14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00BF1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00BF1515
CloseHandle.KERNEL32(00000004), ref: 00BF1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BF154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00BF1563

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 10540ef2914ecda91a79d7928356ecf07d140f2c2a4556e09fc93bd1faacb04a
Instruction ID: c9385f4dcc80ff5e6c010dea30dfb361dfbc42d844b952c90370915def3e1683
Opcode Fuzzy Hash: 10540ef2914ecda91a79d7928356ecf07d140f2c2a4556e09fc93bd1faacb04a
Instruction Fuzzy Hash: 8B11597250020DEBDF21CF98DD89BEE7BA9EF48704F144854FA05A2160C375CE65DB60

Function 00BB3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00BB3379,00BB2FE5), ref: 00BB3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BB339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BB33B7
SetLastError.KERNEL32(00000000,?,00BB3379,00BB2FE5), ref: 00BB3409

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 525211957f93113e2d7c56b4930eb457ac71824575e86ee9c0cc447eb6e9c423
Instruction ID: 44337e336a49a9ef44909f32da2fd90a2ce27ddec4ef911003c79beec198b185
Opcode Fuzzy Hash: 525211957f93113e2d7c56b4930eb457ac71824575e86ee9c0cc447eb6e9c423
Instruction Fuzzy Hash: C701243220C311BFAA2427B4BCC6BFF2BD4EB45B7A72002A9F411912F0EFD14D429148

Function 00BC2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00BC5686,00BD3CD6,?,00000000,?,00BC5B6A,?,?,?,?,?,00BBE6D1,?,00C58A48), ref: 00BC2D78
_free.LIBCMT ref: 00BC2DAB
_free.LIBCMT ref: 00BC2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00BBE6D1,?,00C58A48,00000010,00B94F4A,?,?,00000000,00BD3CD6), ref: 00BC2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00BBE6D1,?,00C58A48,00000010,00B94F4A,?,?,00000000,00BD3CD6), ref: 00BC2DEC
_abort.LIBCMT ref: 00BC2DF2

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a775cfe556fd0b8ee8c15dc33d7c08c0b1dfec846998eec7d569d6003c528b92
Instruction ID: d61267e94f845a159b69a2b699585041ae9572f5513d7b98f2768fc09cf5f129
Opcode Fuzzy Hash: a775cfe556fd0b8ee8c15dc33d7c08c0b1dfec846998eec7d569d6003c528b92
Instruction Fuzzy Hash: DBF0C835504B006BD6227734BC46F5F26D9EFD17A1F2445BCF825A22E2EF348C424160

Function 00C28A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00BA9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BA9693
Part of subcall function 00BA9639: SelectObject.GDI32(?,00000000), ref: 00BA96A2
Part of subcall function 00BA9639: BeginPath.GDI32(?), ref: 00BA96B9
Part of subcall function 00BA9639: SelectObject.GDI32(?,00000000), ref: 00BA96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00C28A4E
LineTo.GDI32(?,00000003,00000000), ref: 00C28A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00C28A70
LineTo.GDI32(?,00000000,00000003), ref: 00C28A80
EndPath.GDI32(?), ref: 00C28A90
StrokePath.GDI32(?), ref: 00C28AA0

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 8193864039fb3df7ffe6c4f7ce6d1532d517e0d31960ed9606d9d2db8deae954
Instruction ID: 995df57ddb48ed7ce4de961b97953b1bbcbbc9087013b713e29635ca00d1e6cd
Opcode Fuzzy Hash: 8193864039fb3df7ffe6c4f7ce6d1532d517e0d31960ed9606d9d2db8deae954
Instruction Fuzzy Hash: 85110976000118FFEF229F94DC88FAE7F6CEB08350F048012FA199A5A1C771AE55DBA0

Function 00BF51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00BF5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00BF5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BF5230
ReleaseDC.USER32(00000000,00000000), ref: 00BF5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00BF524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00BF5261

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: d37a3d483c084f76d03b89e583899b5869abce1e309fae0eb0feb555252e6953
Instruction ID: 773745748f1801c18513408017cca4b39e07a0f4bf4062048595038db310bf77
Opcode Fuzzy Hash: d37a3d483c084f76d03b89e583899b5869abce1e309fae0eb0feb555252e6953
Instruction Fuzzy Hash: F5018F75E00708BBEB209BA69C89B5EBFB8EF48751F044165FB04A7681D6709801CBA0

Function 00B91BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B91BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00B91BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B91C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B91C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00B91C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B91C22

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 6cf09841d197cb1d1fc95896cda4abdd21fd2f9df675327bad80e966ac43d492
Instruction ID: 28dc1c9649149a529a8732fc01372f1aec07989258bb663523ff7b2d38084cac
Opcode Fuzzy Hash: 6cf09841d197cb1d1fc95896cda4abdd21fd2f9df675327bad80e966ac43d492
Instruction Fuzzy Hash: 9C0167B0902B5ABDE3008F6A8C85B56FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00BFEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00BFEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00BFEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00BFEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BFEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BFEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BFEB75

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: a4a7fae5c1879b26b6b2d5749399e60b801c8c5e52e8f4df11d52dec3bad964f
Instruction ID: dfed716b31fdd692133546ea5585f8c0d82d95ea0e7ee0559192c1a90deade60
Opcode Fuzzy Hash: a4a7fae5c1879b26b6b2d5749399e60b801c8c5e52e8f4df11d52dec3bad964f
Instruction Fuzzy Hash: 60F05E72250558BBE7315B629C8EFEF3E7CEFCAB11F000158F611E1491D7A05A02C6B5

Function 00BE7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00BE7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00BE7469
GetWindowDC.USER32(?), ref: 00BE7475
GetPixel.GDI32(00000000,?,?), ref: 00BE7484
ReleaseDC.USER32(?,00000000), ref: 00BE7496
GetSysColor.USER32(00000005), ref: 00BE74B0

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 399181c16d4233bf599dbf04a28483797f11624ac51bf3c766266d6108220591
Instruction ID: c4805b69105149dfab02a91d1491eb6d9e0d1c61270704b3702ca713e4ce162f
Opcode Fuzzy Hash: 399181c16d4233bf599dbf04a28483797f11624ac51bf3c766266d6108220591
Instruction Fuzzy Hash: 3B018631410205EFEB319FA4DC88BAE7BB5FF04321F2400A0F926A26A0CF751E52AB50

Function 00BF1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BF187F
UnloadUserProfile.USERENV(?,?), ref: 00BF188B
CloseHandle.KERNEL32(?), ref: 00BF1894
CloseHandle.KERNEL32(?), ref: 00BF189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00BF18A5
HeapFree.KERNEL32(00000000), ref: 00BF18AC

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 215ca75715a18138f10ace5cb9f4a5a701e295357da0b1e6a4154fcd4d683092
Instruction ID: f30185df724a8abb556281d5a5921e0c74d77a3f6923c86d3c66038131366f14
Opcode Fuzzy Hash: 215ca75715a18138f10ace5cb9f4a5a701e295357da0b1e6a4154fcd4d683092
Instruction Fuzzy Hash: C7E0E536014501BBDB115FA1ED4DB4EBF39FF49B22B208620F22581874CB329432DF50

Function 00BFC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B97620: _wcslen.LIBCMT ref: 00B97625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BFC6EE
_wcslen.LIBCMT ref: 00BFC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BFC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00BFC7CA

Strings

0, xrefs: 00BFC6AF

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 7a4ad57354cbea70e4263178ee9546a26291774e9cf6ab67633f268f85c17f0c
Instruction ID: cd68173f7f2b7773d6baa7fb5c5c58513365d290a11e4f29ffb756bc781d9992
Opcode Fuzzy Hash: 7a4ad57354cbea70e4263178ee9546a26291774e9cf6ab67633f268f85c17f0c
Instruction Fuzzy Hash: E851D17160830D9BD725AF28CA85B7B7BE4EF85310F0809A9FA95D3190DB70DD88CB52

Function 00C1AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00C1AEA3

Part of subcall function 00B97620: _wcslen.LIBCMT ref: 00B97625

GetProcessId.KERNEL32(00000000), ref: 00C1AF38
CloseHandle.KERNEL32(00000000), ref: 00C1AF67

Strings

@, xrefs: 00C1AE72
<, xrefs: 00C1AE6B

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: c437d29dc92346f444787fdf5bb94af20803e8f0651f8cbb76cf3bea1b6b409e
Instruction ID: 4cf50e851cb2458a07a82eea78ce704dfb1a96d9f5ed270653a1ded2915546a1
Opcode Fuzzy Hash: c437d29dc92346f444787fdf5bb94af20803e8f0651f8cbb76cf3bea1b6b409e
Instruction Fuzzy Hash: 62714A71A00615DFCF14DF54C494A9EBBF0EF09314F0584A9E81AAB3A1CB74ED85CB91

Function 00BF719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00BF7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00BF723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00BF724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00BF72CF

Strings

DllGetClassObject, xrefs: 00BF7242

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: f709ce333cde6dceff513b3ca79fa718eda60bedafcaf5f8c7b738bd2cfc20a1
Instruction ID: 19f0f423d865d3c50a047b24561a98619f1c5f41d77770548acaf4745fa9ba10
Opcode Fuzzy Hash: f709ce333cde6dceff513b3ca79fa718eda60bedafcaf5f8c7b738bd2cfc20a1
Instruction Fuzzy Hash: 1E415E71644208AFDF15CF54C885BAA7BE9EF45310F1480EDBE059F24ADBB1D949CBA0

Function 00C23D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C23E35
IsMenu.USER32(?), ref: 00C23E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C23E92
DrawMenuBar.USER32 ref: 00C23EA5

Strings

0, xrefs: 00C23D89

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 19762c7c9396255efb15b3846248e92ce522da64dede7d8e839256aaacb768fc
Instruction ID: 703c5d4e3618da7f79a65c81e998263a49b6b48b88a325d3b8a6f2522708a334
Opcode Fuzzy Hash: 19762c7c9396255efb15b3846248e92ce522da64dede7d8e839256aaacb768fc
Instruction Fuzzy Hash: 3A418875A10259AFDB20DF50E884AAEBBB9FF49350F054029E911A7650C334EE09CFA0

Function 00BF1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00BF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BF3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00BF1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00BF1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00BF1EA9

Part of subcall function 00B96B57: _wcslen.LIBCMT ref: 00B96B6A

Strings

ComboBox, xrefs: 00BF1DF0
ListBox, xrefs: 00BF1E25

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 456c3f0738512202664fd7aab0622d811bad23d56e20d3eaf8104b3a1cc9e609
Instruction ID: 23b1e8b5dfc63050abeb8457ea8ac987c636bd8aa909826db4fa8e4423c6feb6
Opcode Fuzzy Hash: 456c3f0738512202664fd7aab0622d811bad23d56e20d3eaf8104b3a1cc9e609
Instruction Fuzzy Hash: 7F210271A00108FADB14ABA9DC96DFFB7F8DF46350B1049A9F925A71E1DB34490E8620

Function 00C22F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C22F8D
LoadLibraryW.KERNEL32(?), ref: 00C22F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C22FA9
DestroyWindow.USER32(?), ref: 00C22FB1

Strings

SysAnimate32, xrefs: 00C22F68

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 562357211f0df5fe8258aa84aafb7d459fb71e1e302bcd2c364db6ffe47de686
Instruction ID: 72c33bae49533ad4aa91249fa5acc5374609e3355029fddf6327a64cf2a7d2cf
Opcode Fuzzy Hash: 562357211f0df5fe8258aa84aafb7d459fb71e1e302bcd2c364db6ffe47de686
Instruction Fuzzy Hash: 2521AE71200225BBEB208FA4ED80FBB37B9EB59364F100228F960D2990D771DC919760

Function 00BB4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00BB4D1E,00BC28E9,?,00BB4CBE,00BC28E9,00C588B8,0000000C,00BB4E15,00BC28E9,00000002), ref: 00BB4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BB4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00BB4D1E,00BC28E9,?,00BB4CBE,00BC28E9,00C588B8,0000000C,00BB4E15,00BC28E9,00000002,00000000), ref: 00BB4DC3

Strings

mscoree.dll, xrefs: 00BB4D86
CorExitProcess, xrefs: 00BB4D98

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 095c23f637f67b7161effc6f8b426570f658db54afc54d834b2bfae54108b28b
Instruction ID: 813cb9c81a0e9a7e0ae3d8f03cd90024db8a34dd1dd4ec57bffbd30ec8ae0550
Opcode Fuzzy Hash: 095c23f637f67b7161effc6f8b426570f658db54afc54d834b2bfae54108b28b
Instruction Fuzzy Hash: 5FF06235A50308BBDB219F90DC89BEEBFF5EF44752F0000A4F805A26A1CBB05D51CB90

Function 00B94E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B94EDD,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B94EAE
FreeLibrary.KERNEL32(00000000,?,?,00B94EDD,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94EC0

Strings

kernel32.dll, xrefs: 00B94E94
Wow64DisableWow64FsRedirection, xrefs: 00B94EA8

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 70ce6a1f1eb83949d6d04f815638156138d71d13ea7c5884532f29c0f47ba2b5
Instruction ID: f671a451980ef58848b903b29a7b730cbcc9a7571fa16567e815428e4043c5a4
Opcode Fuzzy Hash: 70ce6a1f1eb83949d6d04f815638156138d71d13ea7c5884532f29c0f47ba2b5
Instruction Fuzzy Hash: 3BE0CD36A11D325BD63117257C59F6F6594EF81F637050175FC01D2500DB60CD0380E0

Function 00B94E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BD3CDE,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B94E74
FreeLibrary.KERNEL32(00000000,?,?,00BD3CDE,?,00C61418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B94E87

Strings

kernel32.dll, xrefs: 00B94E5B
Wow64RevertWow64FsRedirection, xrefs: 00B94E6E

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 6faf1a1fdc5a3f58effc16e5b60adcbe8750cb58fc54da0a3ad33887cac7b1ea
Instruction ID: b9826a68d28b59c8b2d319595b60e7cc30b4f9318609b219767e727ac94e1dac
Opcode Fuzzy Hash: 6faf1a1fdc5a3f58effc16e5b60adcbe8750cb58fc54da0a3ad33887cac7b1ea
Instruction Fuzzy Hash: 82D0C236922E31574A321B247C09F8F2A58EF85B513050170BC00A2210CF20CD13C1D0

Function 00C02947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C02C05
DeleteFileW.KERNEL32(?), ref: 00C02C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C02C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C02CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C02CC0

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 4c8e20823cecbbb7aa8fc5d839fd2b1aab42c040108445cc1fba82ddcbc3e899
Instruction ID: 79b736b5f7a6f3b6814cd89a5ba9fcc317f3c01c01bad92f2e81b93930e5c763
Opcode Fuzzy Hash: 4c8e20823cecbbb7aa8fc5d839fd2b1aab42c040108445cc1fba82ddcbc3e899
Instruction Fuzzy Hash: DEB12F71E00119ABDF21DBA4CC89EEEB7BDEF49350F1040A6F909E6191EB709A44DF61

Function 00C1A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00C1A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C1A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C1A468
CloseHandle.KERNEL32(?), ref: 00C1A63D

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: ea117fdb9bb2765114dd10cd55694db2c9458eb1c49d54f305f8552576f1550d
Instruction ID: d8600ab9f25b81dc5f19deb11fb99cae21e429514ee07b2f9d5ad69480b4612b
Opcode Fuzzy Hash: ea117fdb9bb2765114dd10cd55694db2c9458eb1c49d54f305f8552576f1550d
Instruction Fuzzy Hash: 26A1A1716043009FD720DF24D886F2ABBE5AF88714F14885DF56A9B392DBB0ED45CB92

Function 00BCBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C33700), ref: 00BCBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00C6121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00BCBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00C61270,000000FF,?,0000003F,00000000,?), ref: 00BCBC36
_free.LIBCMT ref: 00BCBB7F

Part of subcall function 00BC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000), ref: 00BC29DE
Part of subcall function 00BC29C8: GetLastError.KERNEL32(00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000,00000000), ref: 00BC29F0

_free.LIBCMT ref: 00BCBD4B

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: d806bdeda2cb8d46ccf0dec27a403304c6f1b62da24355ff3b4dcc3381f81254
Instruction ID: ffde944e15b7e89ff741410eeda699cfede2da8afa4dbbbb860283ab1f223c1d
Opcode Fuzzy Hash: d806bdeda2cb8d46ccf0dec27a403304c6f1b62da24355ff3b4dcc3381f81254
Instruction Fuzzy Hash: 9A51B671900209AFCB24EF659C82FAEB7F8EB41361F1442EEE555E7191EB705E418B50

Function 00BFE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BFDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BFCF22,?), ref: 00BFDDFD

Part of subcall function 00BFDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BFCF22,?), ref: 00BFDE16

Part of subcall function 00BFE199: GetFileAttributesW.KERNEL32(?,00BFCF95), ref: 00BFE19A

lstrcmpiW.KERNEL32(?,?), ref: 00BFE473
MoveFileW.KERNEL32(?,?), ref: 00BFE4AC
_wcslen.LIBCMT ref: 00BFE5EB
_wcslen.LIBCMT ref: 00BFE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00BFE650

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 5c07b58b9964cf3d5c615950ee345cfd4ab4c927a873907522300041b3f60b77
Instruction ID: e43cc86932e6f35a9851561b51c66268679d44d7995c136bcf27b5959c3324ce
Opcode Fuzzy Hash: 5c07b58b9964cf3d5c615950ee345cfd4ab4c927a873907522300041b3f60b77
Instruction Fuzzy Hash: D35131B24083499BC764EB94DC819FFB3ECAF84340F00496EF69993151EE74E68C8766

Function 00C1B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00C1C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C1B6AE,?,?), ref: 00C1C9B5
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1C9F1
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1CA68
Part of subcall function 00C1C998: _wcslen.LIBCMT ref: 00C1CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C1BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C1BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C1BB63
RegCloseKey.ADVAPI32(?,?), ref: 00C1BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00C1BBB3

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 82080a4930e0cabc0f02a4bb79dc688f5742e41dd60fbcf6833ad39c2802c7db
Instruction ID: 256a23bee890582c35861b0e9dbbc63c427f15cde037144de9b8fc415f9fcb7d
Opcode Fuzzy Hash: 82080a4930e0cabc0f02a4bb79dc688f5742e41dd60fbcf6833ad39c2802c7db
Instruction Fuzzy Hash: 87619131218241AFD714DF24C490E6ABBE5FF85308F1485ACF4994B2A2DB31ED85DF92

Function 00BF8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BF8BCD
VariantClear.OLEAUT32 ref: 00BF8C3E
VariantClear.OLEAUT32 ref: 00BF8C9D
VariantClear.OLEAUT32(?), ref: 00BF8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00BF8D3B

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 46bfa9d6b67ee13885cdb3ef799e6af85338e1045f8b327aa472f108aaf26504
Instruction ID: 9fc64197d37410ed28de17941d628cde535efe9a76c375d234817db64f3602eb
Opcode Fuzzy Hash: 46bfa9d6b67ee13885cdb3ef799e6af85338e1045f8b327aa472f108aaf26504
Instruction Fuzzy Hash: 38517BB5A00619EFCB10CF68C884AAAB7F9FF89310B158569F909DB354E730E911CF90

Function 00C08AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C08BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00C08BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C08C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C08C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C08C5F

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 6da460c37ed5472ee193c8eeb4d3e1af63295db8eee10c41089b2d2cf75c6a99
Instruction ID: 55109982c7a77c32b959512d0c111949bc7bd9a2526d3989bd6b33e8a27ed334
Opcode Fuzzy Hash: 6da460c37ed5472ee193c8eeb4d3e1af63295db8eee10c41089b2d2cf75c6a99
Instruction Fuzzy Hash: 94512635A10215AFDF11DF64C880A6DBBF5EF49314F09C0A8E849AB3A2DB31ED55CB90

Function 00C18EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00C18F40
GetProcAddress.KERNEL32(00000000,?), ref: 00C18FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00C18FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00C19032
FreeLibrary.KERNEL32(00000000), ref: 00C19052

Part of subcall function 00BAF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00C01043,?,7529E610), ref: 00BAF6E6
Part of subcall function 00BAF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00BEFA64,00000000,00000000,?,?,00C01043,?,7529E610,?,00BEFA64), ref: 00BAF70D

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: fe8f65ec76695511bfbc5cd4dbc8403c21457082f1fa1299dc892ca6d941ae6e
Instruction ID: e1c79bdb085df8f88bea087fbdd10e4b5cc9f2f41515386b7f4038fd92be4e8b
Opcode Fuzzy Hash: fe8f65ec76695511bfbc5cd4dbc8403c21457082f1fa1299dc892ca6d941ae6e
Instruction Fuzzy Hash: 14512935A04205DFCB15DF58C4949EDBBF1FF4A314B0580A8E81A9B762DB31EE86DB90

Function 00C26B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00C26C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00C26C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00C26C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00C0AB79,00000000,00000000), ref: 00C26C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00C26CC7

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: d878042c2efbc3167b06d949bf365392486638505bf07058d328803aaf279580
Instruction ID: ed5181d924245bf95a176ea68744f5f47f3ee6bb548bafdd2809c0bd6c82fb64
Opcode Fuzzy Hash: d878042c2efbc3167b06d949bf365392486638505bf07058d328803aaf279580
Instruction Fuzzy Hash: 51410835604124AFD724EF39DC94FA97BA5EB09360F140268FCA5A76E0C771EE41DA60

Function 00BC2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BC20C3
_free.LIBCMT ref: 00BC20E3

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6c7ef695d6c2f0c3f92d4cc3c190d2c490f66b64cfeeba05fcdee68795145836
Instruction ID: 305ecf505da662c70c12c4b030fe1488e6b13dcafc5331f36f92c8f15700353d
Opcode Fuzzy Hash: 6c7ef695d6c2f0c3f92d4cc3c190d2c490f66b64cfeeba05fcdee68795145836
Instruction Fuzzy Hash: 7541AF36A002009FCB24DF78C881F6DB7E5EF89314F1545ADE615EB392DA31AD01CB90

Function 00BA912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BA9141
ScreenToClient.USER32(00000000,?), ref: 00BA915E
GetAsyncKeyState.USER32(00000001), ref: 00BA9183
GetAsyncKeyState.USER32(00000002), ref: 00BA919D

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 5f090fa999bc165d1e6da114e3014522206d1480a8f466b6098e0e8120679040
Instruction ID: 292d4d1718090b2f8d32c895127610ff71f8438f03413397e02c547bdb41da2a
Opcode Fuzzy Hash: 5f090fa999bc165d1e6da114e3014522206d1480a8f466b6098e0e8120679040
Instruction Fuzzy Hash: 84414F31A0865AFBDF159F65C884BEEB7B4FF06320F208255E425B7290CB346D54EB91

Function 00C03874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C038CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00C03922
TranslateMessage.USER32(?), ref: 00C0394B
DispatchMessageW.USER32(?), ref: 00C03955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C03966

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 1c9cdba4d25ce4fa82e0359aa6dc6f89e6465b39759158238632fa18bee3cc4b
Instruction ID: 445c3ebb8a752ccf18ef92c7dfe9dd993bf782d7488b064d4dbcd05a0b282093
Opcode Fuzzy Hash: 1c9cdba4d25ce4fa82e0359aa6dc6f89e6465b39759158238632fa18bee3cc4b
Instruction Fuzzy Hash: D031C6709143C19EEB35CB369848BBA37ACAB05305F0C456AE872861E0E3F49785DB51

Function 00C0CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00C0C21E,00000000), ref: 00C0CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00C0CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00C0C21E,00000000), ref: 00C0CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00C0C21E,00000000), ref: 00C0CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00C0C21E,00000000), ref: 00C0CFF2

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 145328a913f3377f76f2b86a80523165078d369ab09f29a9826edec8ae5b9ea0
Instruction ID: 7ce07e23b22572f24e596680a47fa2e70e6205337b6a9d1f1e0b85cf62f010b0
Opcode Fuzzy Hash: 145328a913f3377f76f2b86a80523165078d369ab09f29a9826edec8ae5b9ea0
Instruction Fuzzy Hash: F9316971604206EFDB20DFE5C8C4AAEBBF9EB14350B10456EF516D2180DB30AE41DB61

Function 00BF1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BF1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00BF19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00BF19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00BF19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00BF19E2

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: bff4957344e65f9b259a29d3433b0c0e504787805583dafc7fd07f9470b40836
Instruction ID: 8eedab239234b965c825c1e2d08cbceecc2712041d3ed3b2eebf2e695d2e5c28
Opcode Fuzzy Hash: bff4957344e65f9b259a29d3433b0c0e504787805583dafc7fd07f9470b40836
Instruction Fuzzy Hash: 6231C47190021DEFCB14CFACC999BEE3BB5EB04314F008A55FA21A72D0C3B09959CB90

Function 00C25706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C25745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00C2579D
_wcslen.LIBCMT ref: 00C257AF
_wcslen.LIBCMT ref: 00C257BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C25816

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 775104417ca5d9eb6bff7f94d4cdc50232ee30155ec141f6e69662023aaa9d57
Instruction ID: d70d7bfa66d3d11df0378b7b7c85056d3bee7818781aa3fe2c35cef6afb1004e
Opcode Fuzzy Hash: 775104417ca5d9eb6bff7f94d4cdc50232ee30155ec141f6e69662023aaa9d57
Instruction Fuzzy Hash: 14218F759146289ADB20DFA5EC84AEEB7B8FF04720F108256F929EA580D7708A85CF50

Function 00C10930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00C10951
GetForegroundWindow.USER32 ref: 00C10968
GetDC.USER32(00000000), ref: 00C109A4
GetPixel.GDI32(00000000,?,00000003), ref: 00C109B0
ReleaseDC.USER32(00000000,00000003), ref: 00C109E8

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 8a480b3e139533d4f76bade64c848a68017d6ff4df440460fcf8410abc93bf77
Instruction ID: d85246bdced944c1b867d0fe0204dae2cea4d035cd1abba9364df2390e69d9a0
Opcode Fuzzy Hash: 8a480b3e139533d4f76bade64c848a68017d6ff4df440460fcf8410abc93bf77
Instruction Fuzzy Hash: 5321A135600204AFD714EF65D898BAEBBF5EF44700F14806CF85A977A2CB70AD45DB90

Function 00BCCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00BCCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BCCDE9

Part of subcall function 00BC3820: RtlAllocateHeap.NTDLL(00000000,?,00C61444,?,00BAFDF5,?,?,00B9A976,00000010,00C61440,00B913FC,?,00B913C6,?,00B91129), ref: 00BC3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BCCE0F
_free.LIBCMT ref: 00BCCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BCCE31

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 1e817f59ec104888371ffbcad656157919e08da7aef05852f25431abf6812b14
Instruction ID: 57e05d201a7a20a759b70808708f24128f979b6fd6b39e5e322401080b2456bd
Opcode Fuzzy Hash: 1e817f59ec104888371ffbcad656157919e08da7aef05852f25431abf6812b14
Instruction Fuzzy Hash: 850184726016167F23215ABA6CC9F7F6DEDDED7BA231501ADF909C7201EA719D0281F0

Function 00BA9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BA9693
SelectObject.GDI32(?,00000000), ref: 00BA96A2
BeginPath.GDI32(?), ref: 00BA96B9
SelectObject.GDI32(?,00000000), ref: 00BA96E2

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f37d2d05b9e328933c0a1c0507b6185ec3cfb3bc15f99a276deb8fc48e8b2dae
Instruction ID: 5bd40df4dd3c5ca99af92eca2f3bf0b00bd29f79775e8c3ee6429a539d49002b
Opcode Fuzzy Hash: f37d2d05b9e328933c0a1c0507b6185ec3cfb3bc15f99a276deb8fc48e8b2dae
Instruction Fuzzy Hash: A5217F30816305EBEB219F6AEC557AD3BB8FF02316F1C0256F810A61A0D3B05892EF94

Function 00BF5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00BF5726
_memcmp.LIBVCRUNTIME ref: 00BF5744
_memcmp.LIBVCRUNTIME ref: 00BF5757
_memcmp.LIBVCRUNTIME ref: 00BF576F
_memcmp.LIBVCRUNTIME ref: 00BF5787

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: fc710c9fec89dddff4653329837e00fba7e6f69a896f13774b47b95a370ac459
Instruction ID: c7aecf678146f9f13690074a919f86924df942864df6592813ff37f02daf4355
Opcode Fuzzy Hash: fc710c9fec89dddff4653329837e00fba7e6f69a896f13774b47b95a370ac459
Instruction Fuzzy Hash: 3E01D272345A1DBB9228A515AD82EFB63DCDB20394B4000B4FF059B641F6A0ED2583A4

Function 00BC2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00BBF2DE,00BC3863,00C61444,?,00BAFDF5,?,?,00B9A976,00000010,00C61440,00B913FC,?,00B913C6), ref: 00BC2DFD
_free.LIBCMT ref: 00BC2E32
_free.LIBCMT ref: 00BC2E59
SetLastError.KERNEL32(00000000,00B91129), ref: 00BC2E66
SetLastError.KERNEL32(00000000,00B91129), ref: 00BC2E6F

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 1ced54c0e2e717f16b534d59b9b4dfea93af40055a75d1247dafbe8fa5961c98
Instruction ID: 9edf89e6ce8e8a44fe9b8328c675a9b0c292f93df2df7827d06a1b17e9e05109
Opcode Fuzzy Hash: 1ced54c0e2e717f16b534d59b9b4dfea93af40055a75d1247dafbe8fa5961c98
Instruction Fuzzy Hash: 3A012836205B026BCA2267746CC5F6F26EDEBC17B1B2044ACF421B22E2EF708C014020

Function 00BF000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BEFF41,80070057,?,?,?,00BF035E), ref: 00BF002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BEFF41,80070057,?,?), ref: 00BF0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BEFF41,80070057,?,?), ref: 00BF0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BEFF41,80070057,?), ref: 00BF0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BEFF41,80070057,?,?), ref: 00BF0070

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 84be21546bc35d724039c0642c164b734688b29a7cbd9f4b814b9d76f8bff2d7
Instruction ID: 4eb274e774b612163fa21fad3dd18170ca208d8b2b46855da6b3000b42c57369
Opcode Fuzzy Hash: 84be21546bc35d724039c0642c164b734688b29a7cbd9f4b814b9d76f8bff2d7
Instruction Fuzzy Hash: 98017C7262020CBBDB215F68DC84BAE7BEDEB44751F148164FA05D3221DB75DD458BA0

Function 00BFE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00BFE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00BFE9A5
Sleep.KERNEL32(00000000), ref: 00BFE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00BFE9B7
Sleep.KERNEL32 ref: 00BFE9F3

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 9bdd116d82a186e0a7a5383c3e9a4d5e7ccb85cb1e11373900fcd6a6623857cf
Instruction ID: 404019d80a8be619a9ceb19a19622084edb42fe823e5761130532f798acbc4b3
Opcode Fuzzy Hash: 9bdd116d82a186e0a7a5383c3e9a4d5e7ccb85cb1e11373900fcd6a6623857cf
Instruction Fuzzy Hash: C5013931C0162DDBCF109BE4D8897FDBBB8FB09700F008586E612B3260CB709569C7A1

Function 00BF10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BF1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00BF0B9B,?,?,?), ref: 00BF1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BF0B9B,?,?,?), ref: 00BF112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BF0B9B,?,?,?), ref: 00BF1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BF114D

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 301f915c88f5622e229fcb6f772c6586357b92c3ec73f0a2693425db881631b9
Instruction ID: 580d7c0a0d2ca2a1b8f24c41d9a616e07d61bea266fdc7a792c3694e8ed38ecc
Opcode Fuzzy Hash: 301f915c88f5622e229fcb6f772c6586357b92c3ec73f0a2693425db881631b9
Instruction Fuzzy Hash: 7A016D79100205BFDB214F68DC89B6E3BAEEF85360B100854FA41D3360DB31DD158A60

Function 00BF0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BF0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BF0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BF0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BF0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BF1002

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b2a467cd9cd6afa23e32a09241d02efd44df86b5043250bf1d024b7606807c80
Instruction ID: 216fbfe8b3ac0df25bdb8b8b47a7f4a98795a1f1c6b6eb2db871a1e19da00457
Opcode Fuzzy Hash: b2a467cd9cd6afa23e32a09241d02efd44df86b5043250bf1d024b7606807c80
Instruction Fuzzy Hash: 93F04936210305EBDB214FA89C8AF6E3BADEF89762F204864FA45C7251CA70DC558A60

Function 00BF1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BF102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BF1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BF1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BF104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BF1062

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7aa3546fad7d19730f9678e1b0d8110f5ee5350b1ee2f5151ab94c787b629699
Instruction ID: 3b2527065ceb007e2a2af19f2255e73b1f8a72c107e56a030e7bac68fee98b16
Opcode Fuzzy Hash: 7aa3546fad7d19730f9678e1b0d8110f5ee5350b1ee2f5151ab94c787b629699
Instruction Fuzzy Hash: 49F06D35210305FBDB215FA8EC89F6E3BADEF89761F200824FA45C7250CE70D8558A60

Function 00C0030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00C0017D,?,00C032FC,?,00000001,00BD2592,?), ref: 00C00324
CloseHandle.KERNEL32(?,?,?,?,00C0017D,?,00C032FC,?,00000001,00BD2592,?), ref: 00C00331
CloseHandle.KERNEL32(?,?,?,?,00C0017D,?,00C032FC,?,00000001,00BD2592,?), ref: 00C0033E
CloseHandle.KERNEL32(?,?,?,?,00C0017D,?,00C032FC,?,00000001,00BD2592,?), ref: 00C0034B
CloseHandle.KERNEL32(?,?,?,?,00C0017D,?,00C032FC,?,00000001,00BD2592,?), ref: 00C00358
CloseHandle.KERNEL32(?,?,?,?,00C0017D,?,00C032FC,?,00000001,00BD2592,?), ref: 00C00365

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c0d34a3f9d583cae495f9ef69f3456a9d980480d76b65005c5aac1fffe6d297f
Instruction ID: f6b2926208a3786c83c35ad716841e6b93e375f482ced2fbec46002d40608313
Opcode Fuzzy Hash: c0d34a3f9d583cae495f9ef69f3456a9d980480d76b65005c5aac1fffe6d297f
Instruction Fuzzy Hash: 6401A272800B159FC7319F66D880516F7F9BF503157268A3FD1A652971C371AA55CF80

Function 00BCD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BCD752

Part of subcall function 00BC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000), ref: 00BC29DE
Part of subcall function 00BC29C8: GetLastError.KERNEL32(00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000,00000000), ref: 00BC29F0

_free.LIBCMT ref: 00BCD764
_free.LIBCMT ref: 00BCD776
_free.LIBCMT ref: 00BCD788
_free.LIBCMT ref: 00BCD79A

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e272b432b900598d1804badc1dd8b3f17d07dbb9e378141bf9d38a7e55284bb0
Instruction ID: faf0da63d48c75649dca752b0c473092de06503e95bdb40c49e6bbaed5ba6ab8
Opcode Fuzzy Hash: e272b432b900598d1804badc1dd8b3f17d07dbb9e378141bf9d38a7e55284bb0
Instruction Fuzzy Hash: 35F0FF76544304ABC621EB64F9C5F1A77DDFB4471179508AEF089E7641CB70FC808664

Function 00BF5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00BF5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00BF5C6F
MessageBeep.USER32(00000000), ref: 00BF5C87
KillTimer.USER32(?,0000040A), ref: 00BF5CA3
EndDialog.USER32(?,00000001), ref: 00BF5CBD

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: eacb1c5a5c044d9e3aa147311e2185aa287efbec3971c2235dc57c0d907aa2a5
Instruction ID: 01b7a3a244b747456c113d63c5a457a482c67e65e94877f919a081e08088cf9d
Opcode Fuzzy Hash: eacb1c5a5c044d9e3aa147311e2185aa287efbec3971c2235dc57c0d907aa2a5
Instruction Fuzzy Hash: ED011730510B04ABEB315B14DD8EFA977F8FF04B05F041599F743A14E1D7F459598A91

Function 00BC22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BC22BE

Part of subcall function 00BC29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000), ref: 00BC29DE
Part of subcall function 00BC29C8: GetLastError.KERNEL32(00000000,?,00BCD7D1,00000000,00000000,00000000,00000000,?,00BCD7F8,00000000,00000007,00000000,?,00BCDBF5,00000000,00000000), ref: 00BC29F0

_free.LIBCMT ref: 00BC22D0
_free.LIBCMT ref: 00BC22E3
_free.LIBCMT ref: 00BC22F4
_free.LIBCMT ref: 00BC2305

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0e8e5d417692e7ed38151338f13d2ba622267b6c7c7cbbcb0fd050b4658a0a30
Instruction ID: 2f0c33d3e611fdfe766d97b8ac4e6ec2da53455dbd59f53759905b2a8715f751
Opcode Fuzzy Hash: 0e8e5d417692e7ed38151338f13d2ba622267b6c7c7cbbcb0fd050b4658a0a30
Instruction Fuzzy Hash: 63F03A748402209F8A22AF95BC41F0D3BA4F718762718059EF850EA3B1CBB00952EFA5

Function 00BA95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00BA95D4
StrokeAndFillPath.GDI32(?,?,00BE71F7,00000000,?,?,?), ref: 00BA95F0
SelectObject.GDI32(?,00000000), ref: 00BA9603
DeleteObject.GDI32 ref: 00BA9616
StrokePath.GDI32(?), ref: 00BA9631

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 22a269555317b2579d9cf17734722ad476392628462742f7e710288ed9281500
Instruction ID: 554e1936601713e87e3750fa31c77541d8ae7e0b56faff142cdbf55cc919bd8c
Opcode Fuzzy Hash: 22a269555317b2579d9cf17734722ad476392628462742f7e710288ed9281500
Instruction Fuzzy Hash: 57F01930409304EBEB365F6AED5976C3BA5EB02322F0C8254F825554F0C7B089A6EFA0

Function 00BC0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00BC10F9
__freea.LIBCMT ref: 00BC1117

Part of subcall function 00BC1537: _free.LIBCMT ref: 00BC154F

Strings

a/p, xrefs: 00BC11DE
am/pm, xrefs: 00BC117A

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 576b055ba4b23f48e3f96265a97294336456142c0134be9c6a370bde3430b8f3
Instruction ID: fc066244bdd765c76f7807b332b0099261df65f458e53b230c12756cbc5be4eb
Opcode Fuzzy Hash: 576b055ba4b23f48e3f96265a97294336456142c0134be9c6a370bde3430b8f3
Instruction Fuzzy Hash: 34D1F035900246EACB249F6CC895FBAB7F0EF47704F2849DDE901BB642D2359D80CBA5

Function 00C17B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00BB0242: EnterCriticalSection.KERNEL32(00C6070C,00C61884,?,?,00BA198B,00C62518,?,?,?,00B912F9,00000000), ref: 00BB024D
Part of subcall function 00BB0242: LeaveCriticalSection.KERNEL32(00C6070C,?,00BA198B,00C62518,?,?,?,00B912F9,00000000), ref: 00BB028A

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00BB00A3: __onexit.LIBCMT ref: 00BB00A9

__Init_thread_footer.LIBCMT ref: 00C17BFB

Part of subcall function 00BB01F8: EnterCriticalSection.KERNEL32(00C6070C,?,?,00BA8747,00C62514), ref: 00BB0202
Part of subcall function 00BB01F8: LeaveCriticalSection.KERNEL32(00C6070C,?,00BA8747,00C62514), ref: 00BB0235

Strings

5, xrefs: 00C17C78
G, xrefs: 00C17C7F
Variable must be of type 'Object'., xrefs: 00C17C3A

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: ac2dada92bb85c487a24f90143c74952385e28278c8e5f5ef38e4eaa90c870a4
Instruction ID: 53246333011845ac8164ee6d5cbf3b4242ccb0f720f824eef0347e84bdbfd44b
Opcode Fuzzy Hash: ac2dada92bb85c487a24f90143c74952385e28278c8e5f5ef38e4eaa90c870a4
Instruction Fuzzy Hash: DF918C74A08209EFCB14EF94D8919FDB7B1FF4A300F108199F8169B291DB71AE85EB51

Function 00BF2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BFB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BF21D0,?,?,00000034,00000800,?,00000034), ref: 00BFB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00BF2760

Part of subcall function 00BFB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BF21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00BFB3F8

Part of subcall function 00BFB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00BFB355
Part of subcall function 00BFB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00BF2194,00000034,?,?,00001004,00000000,00000000), ref: 00BFB365
Part of subcall function 00BFB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00BF2194,00000034,?,?,00001004,00000000,00000000), ref: 00BFB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BF27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BF281A

Strings

@, xrefs: 00BF2832

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: da05396c62024831d5ad6475a4cac3c4411ff10f278d8adf8c08bf215622b82b
Instruction ID: b5d5cbab23133a69c64e5a141db838c74124777942da758bbccd30d0149e2a1e
Opcode Fuzzy Hash: da05396c62024831d5ad6475a4cac3c4411ff10f278d8adf8c08bf215622b82b
Instruction Fuzzy Hash: E741F97690021CAEDB10DBA4C986FEEBBB8EF09740F104095FA55B7191DB706E49CBA1

Function 00BC172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00BC1769
_free.LIBCMT ref: 00BC1834
_free.LIBCMT ref: 00BC183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00BC1760, 00BC1767, 00BC1796, 00BC17CE

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 15af6035f7398e35b3c228b08974bf4ea937b83bbb53a4dd42c872499cee7d30
Instruction ID: fd2b06a3b572b43e68df96323075717a8ac8c17f12e7edc4aab8c1c73f927c61
Opcode Fuzzy Hash: 15af6035f7398e35b3c228b08974bf4ea937b83bbb53a4dd42c872499cee7d30
Instruction Fuzzy Hash: 42316475A44218AFDB21DF999C85F9EBBFCEB86310B1445EAF804E7212D6B04E40CB90

Function 00BFC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00BFC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00BFC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C61990,014252C0), ref: 00BFC395

Strings

0, xrefs: 00BFC2DF

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: d9593a2a4b83d064a1f7c53439de02d8da21493f194f23baf6908334ef17cf1c
Instruction ID: f1a5992726955d3b49bac26093a641257da823cbdcfcb8e440e0842a9371373e
Opcode Fuzzy Hash: d9593a2a4b83d064a1f7c53439de02d8da21493f194f23baf6908334ef17cf1c
Instruction Fuzzy Hash: 7E41B1312083099FD720DF25D984B6ABFE4EF85350F1086ADFAA5972D1D730E948CB5A

Function 00C24416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00C2CC08,00000000,?,?,?,?), ref: 00C244AA
GetWindowLongW.USER32 ref: 00C244C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C244D7

Strings

SysTreeView32, xrefs: 00C2447C

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 77dd91d9b158401ec98141677f015e2c0eb65bcbd5eaaf92dcdd9981f626ac3a
Instruction ID: 14941805b68a802aa13ce11439125bc0b6609864c5020088d59e7dc2c772b6d6
Opcode Fuzzy Hash: 77dd91d9b158401ec98141677f015e2c0eb65bcbd5eaaf92dcdd9981f626ac3a
Instruction Fuzzy Hash: 0D319A31210225ABDB249E38EC85BEA7BA9EB09324F204325F975A25E0DB70ED519B50

Function 00C1304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C1335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00C13077,?,?), ref: 00C13378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C1307A
_wcslen.LIBCMT ref: 00C1309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00C13106

Strings

255.255.255.255, xrefs: 00C13095, 00C1309A

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 93b786ee24adc0a7b898923f0fd69621a8b24e6f075bba6338cea1ce8a534d5c
Instruction ID: 365bd91a29c029119b8e6194b8b1f81f6dadfbcc532e1ca26e867840238caadf
Opcode Fuzzy Hash: 93b786ee24adc0a7b898923f0fd69621a8b24e6f075bba6338cea1ce8a534d5c
Instruction Fuzzy Hash: 8331C6356002419FCB10CF69C585EE977E0EF56318F248099E9258B392D771DF85D760

Function 00C23EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00C23F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00C23F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C23F78

Strings

SysMonthCal32, xrefs: 00C23F0B

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 399be6b1cca73b722891d1b7474b3c46e1ca071be8c0453fa2a6f588471703e3
Instruction ID: 907a94467361868da983bb4d90d083910464bbe9506b5e87cb83158b800276e3
Opcode Fuzzy Hash: 399be6b1cca73b722891d1b7474b3c46e1ca071be8c0453fa2a6f588471703e3
Instruction Fuzzy Hash: CF21DD32600229BBDF218E90EC82FEE3B75EB48714F110254FE156B1D0C6B5AD55CB90

Function 00C24653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00C24705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00C24713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C2471A

Strings

msctls_updown32, xrefs: 00C24684

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: b9f2c6f9603ab137a2768542ae578135d8851813560c9040ecc3c600a5dde130
Instruction ID: 02d8fd83b51001a05e34602df614844c89475b01b64ddc476ce1c76f1fb59001
Opcode Fuzzy Hash: b9f2c6f9603ab137a2768542ae578135d8851813560c9040ecc3c600a5dde130
Instruction Fuzzy Hash: 83216DB5600218AFDB14DF68ECC1EBB37EDEF5A7A4B040059FA149B691CB70ED51CA60

Function 00BF95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BF961D

Strings

#OnAutoItStartRegister, xrefs: 00BF95F3
#notrayicon, xrefs: 00BF95B7
#requireadmin, xrefs: 00BF95D9

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 8f06bdf701c28a2d12afb4db246ac2ff4713a5e5053df8272a9969d6189253a2
Instruction ID: 77d9a88962cfde614e1fe1d82324dec3f799a363f930a47df009346b4949eefc
Opcode Fuzzy Hash: 8f06bdf701c28a2d12afb4db246ac2ff4713a5e5053df8272a9969d6189253a2
Instruction Fuzzy Hash: 1421087220462967D731AA249C42FB773D8EF61710F1440BAFA49D7141EBA1DD4AC295

Function 00C237B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C23840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C23850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C23876

Strings

Listbox, xrefs: 00C2380F

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 0369cc1145228656bc4eeaeb63d7c569aa382bfe5f32eb9417dc6eb955c797bf
Instruction ID: 06ad21ddbd3d8b6af1a6229bf62723e6522711d0674c139041e3134ad48e7695
Opcode Fuzzy Hash: 0369cc1145228656bc4eeaeb63d7c569aa382bfe5f32eb9417dc6eb955c797bf
Instruction Fuzzy Hash: 1F21BE72610228BBEF218F54EC85FAB376AEF89B50F118125F9109B590CA75DD528BA0

Function 00C049F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C04A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C04A5C
SetErrorMode.KERNEL32(00000000,?,?,00C2CC08), ref: 00C04AD0

Strings

%lu, xrefs: 00C04A6F

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: b0db9a6f19cc78794a187852b7c3717819771333ba838ff1595f7d50110446b2
Instruction ID: 1f1979e3f9084d72f2e9d44188ba288d0ae149f8f6271243c73e045f081e856b
Opcode Fuzzy Hash: b0db9a6f19cc78794a187852b7c3717819771333ba838ff1595f7d50110446b2
Instruction Fuzzy Hash: 96315375A00109AFDB10DF54C885EAE7BF8EF04304F1480A9F905DB252DB71EE46CB61

Function 00C241EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C2424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C24264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C24271

Strings

msctls_trackbar32, xrefs: 00C24226

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: ffe0f12f271cf4174c0fda7077527fbd4874da381ecb7f25ce097afc4426abe1
Instruction ID: 529b9f9d2bd22f574f0be1cc9771821a42a51dd9d4f10a172ff4339f5812ed59
Opcode Fuzzy Hash: ffe0f12f271cf4174c0fda7077527fbd4874da381ecb7f25ce097afc4426abe1
Instruction Fuzzy Hash: E111E331240218BFEF205E29DC46FAB3BACEF95B54F010124FA55E2090D2B1D8619B20

Function 00BF2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B96B57: _wcslen.LIBCMT ref: 00B96B6A

Part of subcall function 00BF2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BF2DC5
Part of subcall function 00BF2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BF2DD6
Part of subcall function 00BF2DA7: GetCurrentThreadId.KERNEL32 ref: 00BF2DDD
Part of subcall function 00BF2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00BF2DE4

GetFocus.USER32 ref: 00BF2F78

Part of subcall function 00BF2DEE: GetParent.USER32(00000000), ref: 00BF2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00BF2FC3
EnumChildWindows.USER32(?,00BF303B), ref: 00BF2FEB

Strings

%s%d, xrefs: 00BF2FFF

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 309f144f1b5dc97c2ed3fee0613ca26fd99bfcc519a380759a42c5a580254c7c
Instruction ID: a21a880c61d9a1062612565240dcc9420c5c4a9417856ed085ee1e47b4bda560
Opcode Fuzzy Hash: 309f144f1b5dc97c2ed3fee0613ca26fd99bfcc519a380759a42c5a580254c7c
Instruction Fuzzy Hash: 2011AF756002096BDF157F708CC6FFE77EAAF84304F0480B5BA099B292DE70994E8B60

Function 00C25882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00C258C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00C258EE
DrawMenuBar.USER32(?), ref: 00C258FD

Strings

0, xrefs: 00C2588F

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 2c89e88fa2590f44ea5e61a55bca89a14bb59641570f048038c1557f7cdb5d73
Instruction ID: 572b62ec84fbf95a032753a4e00448a8059a1be664725404d270a867b6e633fe
Opcode Fuzzy Hash: 2c89e88fa2590f44ea5e61a55bca89a14bb59641570f048038c1557f7cdb5d73
Instruction Fuzzy Hash: 70018C31514228EFDB21AF51EC44BEFBBB4FF45360F1080AAE849D6151DB308A85EF21

Function 00BF007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b918d2384d66ddf360cdafba14523846ab4eac1e9dd7c89de7fbce3d3e4b97
Instruction ID: 9a5ee2254eaaa2ffae47e7e929966c1e0e391225a9f4f833746aed5d9613513c
Opcode Fuzzy Hash: 35b918d2384d66ddf360cdafba14523846ab4eac1e9dd7c89de7fbce3d3e4b97
Instruction Fuzzy Hash: 9AC13975A1020AAFDB14DFA4C894ABEB7F5FF48704F108598E605EB262D731EE45CB90

Function 00BC3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00BC3F0B
__alldvrm.LIBCMT ref: 00BC410C
__alldvrm.LIBCMT ref: 00BC412E

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 59e67491aa03013542cf34ad6da1d518a9bfc78a7976e257fdb5715e4fe8a73f
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 68A13571E003869FDB21CF18C8A1FAABFE5EF65350F1885EEE5959B281C3348A81C750

Function 00C1342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C13459
CoUninitialize.OLE32 ref: 00C13463
VariantInit.OLEAUT32(?), ref: 00C1346E
VariantClear.OLEAUT32(?), ref: 00C1371B

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 12c2332c2aed710e189bbd5e492ba693499f09b319714d03b8264fd1fbfc7865
Instruction ID: b211b7de1b5eb41a59ae74fdedfb89a445bce3f738bbc55cb7d98b6d575a99dc
Opcode Fuzzy Hash: 12c2332c2aed710e189bbd5e492ba693499f09b319714d03b8264fd1fbfc7865
Instruction Fuzzy Hash: A6A19E752183009FCB00DF24C495A6AB7E5FF89714F05889DF98A9B362DB30EE45DB91

Function 00BF0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00C2FC08,?), ref: 00BF05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00C2FC08,?), ref: 00BF0608
CLSIDFromProgID.OLE32(?,?,00000000,00C2CC40,000000FF,?,00000000,00000800,00000000,?,00C2FC08,?), ref: 00BF062D
_memcmp.LIBVCRUNTIME ref: 00BF064E

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 2cb149046a98d089b527ffcef4698fd43eb340cde1c0408e564dfaa21d21b694
Instruction ID: cb87660c8f08a37b051d234229cce887fed06080bb7b890e505c4342cf3d3eae
Opcode Fuzzy Hash: 2cb149046a98d089b527ffcef4698fd43eb340cde1c0408e564dfaa21d21b694
Instruction Fuzzy Hash: 95810C71910109EFCB04DF94C984EEEB7F9FF89315F104598E606AB261DB71AE0ACB60

Function 00C1A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C1A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00C1A6BA

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Process32NextW.KERNEL32(00000000,?), ref: 00C1A79C
CloseHandle.KERNEL32(00000000), ref: 00C1A7AB

Part of subcall function 00BACE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00BD3303,?), ref: 00BACE8A

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 2364f564ac8f31bc4dba64953c686db624962f56168ef6c4c151e456fefe70d0
Instruction ID: 20405d28a31d66108c37863a229b97daa17139858819451cf199b9ce6cf1aceb
Opcode Fuzzy Hash: 2364f564ac8f31bc4dba64953c686db624962f56168ef6c4c151e456fefe70d0
Instruction Fuzzy Hash: 35514B71508300AFD710EF24C886A6FBBE8FF89754F40896DF599972A1EB30D945CB92

Function 00BD1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BD14C0

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 84e17144be1c89b3d88510fd80161b6c7686d426f31d46324e1754d7693a4fc9
Instruction ID: 39c60ce0e7d8ea2ce55e51de54dcd808cd74dff938b61ce2ea26ae9ca5a1148a
Opcode Fuzzy Hash: 84e17144be1c89b3d88510fd80161b6c7686d426f31d46324e1754d7693a4fc9
Instruction Fuzzy Hash: 6F414935600501BBDB256FBD9C86BBEBAE4EF41330F144AEBF418D2392F6B448415E61

Function 00C26278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C262E2
ScreenToClient.USER32(?,?), ref: 00C26315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00C26382

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 656b2f1ec8300de0b3646faf00244ff61b3de68b77182ee2581ba3a595cd2bc8
Instruction ID: 36ff27c22fc86120ea120fb418cb762b82604a95f365272b88ce2eccb16d375c
Opcode Fuzzy Hash: 656b2f1ec8300de0b3646faf00244ff61b3de68b77182ee2581ba3a595cd2bc8
Instruction Fuzzy Hash: 78513E74900219EFDF20DF68E880AAE7BB5FF45360F148169F925976A0D730EE41CBA0

Function 00C11AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00C11AFD
WSAGetLastError.WSOCK32 ref: 00C11B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C11B8A
WSAGetLastError.WSOCK32 ref: 00C11B94

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 763fc02ef411bed7965cdce34fac5d22ee29847c4f9eaaff53c0ed5920c64b9a
Instruction ID: 098153d0d0df49dc2172a72353c6c9cd29cc76dca06f15adaedb0cda0ea1e1a5
Opcode Fuzzy Hash: 763fc02ef411bed7965cdce34fac5d22ee29847c4f9eaaff53c0ed5920c64b9a
Instruction Fuzzy Hash: F441E574600200AFDB20AF24C886F697BE5AB45718F54C498FA199F3D3D776ED818B90

Function 00BCB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0baabd312509e4be4f4e7bfb9cae52e28de860b01cbf0e5f4144ce5de8a65c26
Instruction ID: db473704c02c605ae1e0d2e564b315ebb659ccb11adf864d530a61cde657a702
Opcode Fuzzy Hash: 0baabd312509e4be4f4e7bfb9cae52e28de860b01cbf0e5f4144ce5de8a65c26
Instruction Fuzzy Hash: BC41B075A04704AFD7289F78CC42FAEBBE9EB88710F1045AEF551DB382D77199018790

Function 00C056D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C05783
GetLastError.KERNEL32(?,00000000), ref: 00C057A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C057CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C057FA

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 50b8fd7921556580260449359dac0743d16601e37ac3595a024f25f62eb190e7
Instruction ID: b697b5770d798dd125602f1a0ffb8643db4d163e26b69f65f9db805042e65451
Opcode Fuzzy Hash: 50b8fd7921556580260449359dac0743d16601e37ac3595a024f25f62eb190e7
Instruction Fuzzy Hash: 46412935214610DFCB10DF15C594A1EBBE2EF99720B19C498E85AAB3A2CB30FD01CB91

Function 00BCD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00BB6D71,00000000,00000000,00BB82D9,?,00BB82D9,?,00000001,00BB6D71,8BE85006,00000001,00BB82D9,00BB82D9), ref: 00BCD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BCD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00BCD9AB
__freea.LIBCMT ref: 00BCD9B4

Part of subcall function 00BC3820: RtlAllocateHeap.NTDLL(00000000,?,00C61444,?,00BAFDF5,?,?,00B9A976,00000010,00C61440,00B913FC,?,00B913C6,?,00B91129), ref: 00BC3852

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 6c50932e719375932ceca5aaa058b88bb7e79643de9aa39044c9a73c185b49d9
Instruction ID: 701294212315e119b6262a08f0b42fad9d679e90ee751eafd7fab6cf93ddb05a
Opcode Fuzzy Hash: 6c50932e719375932ceca5aaa058b88bb7e79643de9aa39044c9a73c185b49d9
Instruction Fuzzy Hash: 97319A76A0020AABDF249F64DC85FEE7BE5EB41710B0542ACFC04D6291EB75CD51CBA0

Function 00C252C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00C25352
GetWindowLongW.USER32(?,000000F0), ref: 00C25375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C25382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C253A8

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: ee771b78d800c11df57dcdcebe929381cbd8d7155093888b66ade8c68124f6e1
Instruction ID: 54ce70d72f30ee0044b9d8d1f5294a7250b435f4ac03ff4a3ccd9ac2f5b3b603
Opcode Fuzzy Hash: ee771b78d800c11df57dcdcebe929381cbd8d7155093888b66ade8c68124f6e1
Instruction Fuzzy Hash: 2D31C534A55A28EFEB30DF14EC45BEA37A5AB04390F586101FA21969F1C7B09E409B51

Function 00BFAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00BFABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00BFAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00BFAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00BFACC6

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9d8b0856b340fc587a666881ba4a48b6d3710f4ed3826263651ced6013816b78
Instruction ID: ec59327b2ee3e01efed330ab6679bdb77365d5d81d67b5e620614aff42d85633
Opcode Fuzzy Hash: 9d8b0856b340fc587a666881ba4a48b6d3710f4ed3826263651ced6013816b78
Instruction Fuzzy Hash: BB3128B0A0071C6FEF38CB658C447FE7BE5EB49310F04429AE689531D0C375998D8752

Function 00C27674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00C2769A
GetWindowRect.USER32(?,?), ref: 00C27710
PtInRect.USER32(?,?,00C28B89), ref: 00C27720
MessageBeep.USER32(00000000), ref: 00C2778C

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 6cbf68717c2afefc77b98f9a1f6ee0683ce90bad866ca025163462be045d6042
Instruction ID: aac94abe5d78166ce1cc349633c8197b4efb89868be423b7661b42dd48136f88
Opcode Fuzzy Hash: 6cbf68717c2afefc77b98f9a1f6ee0683ce90bad866ca025163462be045d6042
Instruction Fuzzy Hash: D0418D346052259FCB22CF59E8D4FAD77F4BB48B14F1842A8E8249B661C770AA41DF90

Function 00C216DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00C216EB

Part of subcall function 00BF3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BF3A57
Part of subcall function 00BF3A3D: GetCurrentThreadId.KERNEL32 ref: 00BF3A5E
Part of subcall function 00BF3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BF25B3), ref: 00BF3A65

GetCaretPos.USER32(?), ref: 00C216FF
ClientToScreen.USER32(00000000,?), ref: 00C2174C
GetForegroundWindow.USER32 ref: 00C21752

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: e7cfb55d237e615f9fd7b05f1f5ade9b61511e8167964f0bcca97701df8ef444
Instruction ID: 5c55676110ad08bd56ecd1d4a29e4247f4137099f3e72b10342aad9935962f22
Opcode Fuzzy Hash: e7cfb55d237e615f9fd7b05f1f5ade9b61511e8167964f0bcca97701df8ef444
Instruction Fuzzy Hash: 83315475D00149AFCB10DFAAC8C1DAEBBF9EF48304B5480A9E415E7611E731DE45CBA0

Function 00BFDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00B97620: _wcslen.LIBCMT ref: 00B97625

_wcslen.LIBCMT ref: 00BFDFCB
_wcslen.LIBCMT ref: 00BFDFE2
_wcslen.LIBCMT ref: 00BFE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00BFE018

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 59d8879d5c25e81659e6e5eb61a21701c88f6b00db8f692c70fb002a6e0a977e
Instruction ID: f1e3c65c0b75ae55d43be44b03eb27243e156047c50b47ee90b5d5771dbaeb0a
Opcode Fuzzy Hash: 59d8879d5c25e81659e6e5eb61a21701c88f6b00db8f692c70fb002a6e0a977e
Instruction Fuzzy Hash: AE21A371900218AFCB219FA8D982BBEB7F8EF45750F1440A9E905BB251D7B0DE41CBA1

Function 00C28FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA9BB2

GetCursorPos.USER32(?), ref: 00C29001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00BE7711,?,?,?,?,?), ref: 00C29016
GetCursorPos.USER32(?), ref: 00C2905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00BE7711,?,?,?), ref: 00C29094

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: b2b967525c3c67944d639577177c2831193602de57b71052be0336271eda5ad8
Instruction ID: 070857a8237e0ccab6728f81046b50480f804db72a40a854aea555cc51ecd278
Opcode Fuzzy Hash: b2b967525c3c67944d639577177c2831193602de57b71052be0336271eda5ad8
Instruction Fuzzy Hash: 3B21BF31600028EFCB258F95D898FFE3BB9FF89360F044165F91587661C7319A50EB60

Function 00BFD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00C2CB68), ref: 00BFD2FB
GetLastError.KERNEL32 ref: 00BFD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00BFD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00C2CB68), ref: 00BFD376

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: d70eb67cb1961374943691b40f9b77b26ca750d8a7bfce87b7e4efc485273177
Instruction ID: 42c4af0dafeedc79db95f2ae525a605496bdfb8a5baea9702b5e989099d5a367
Opcode Fuzzy Hash: d70eb67cb1961374943691b40f9b77b26ca750d8a7bfce87b7e4efc485273177
Instruction Fuzzy Hash: 9D21D1705082059F8710DF28C88197E77E5EE5A364F104AADF699C32A1DB30D90ACB97

Function 00BF1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BF102A
Part of subcall function 00BF1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BF1036
Part of subcall function 00BF1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BF1045
Part of subcall function 00BF1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BF104C
Part of subcall function 00BF1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BF1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00BF15BE
_memcmp.LIBVCRUNTIME ref: 00BF15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BF1617
HeapFree.KERNEL32(00000000), ref: 00BF161E

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 025190ad1e9aa9a3ec5b18e89399e72081642779b2bd0a110def9e17b6500cb6
Instruction ID: d83a8b1e704f727af26c9983290790ff63cdd07c5553e5c584828daa957753b6
Opcode Fuzzy Hash: 025190ad1e9aa9a3ec5b18e89399e72081642779b2bd0a110def9e17b6500cb6
Instruction Fuzzy Hash: CE215731E00108EBDB10DFA8C945BFEB7F8EF54344F084899E541AB241E731AA09CBA0

Function 00C22782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00C2280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C22824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C22832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00C22840

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 0a131d0012a50f5e98d8a7b8e55e3773b8e9f879fc36cc730e8d40c36f1d5ae7
Instruction ID: 7b580f1041428e9b76bd12bf71fcdc600f29b64fae76e23e5a9989ddb1ade0ce
Opcode Fuzzy Hash: 0a131d0012a50f5e98d8a7b8e55e3773b8e9f879fc36cc730e8d40c36f1d5ae7
Instruction Fuzzy Hash: 1621D335208121BFD7249B24DC84FAA7B95EF45324F148258F4268BAE2CB75FD82CB90

Function 00BF78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00BF790A,?,000000FF,?,00BF8754,00000000,?,0000001C,?,?), ref: 00BF8D8C
Part of subcall function 00BF8D7D: lstrcpyW.KERNEL32(00000000,?,?,00BF790A,?,000000FF,?,00BF8754,00000000,?,0000001C,?,?,00000000), ref: 00BF8DB2
Part of subcall function 00BF8D7D: lstrcmpiW.KERNEL32(00000000,?,00BF790A,?,000000FF,?,00BF8754,00000000,?,0000001C,?,?), ref: 00BF8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00BF8754,00000000,?,0000001C,?,?,00000000), ref: 00BF7923
lstrcpyW.KERNEL32(00000000,?,?,00BF8754,00000000,?,0000001C,?,?,00000000), ref: 00BF7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00BF8754,00000000,?,0000001C,?,?,00000000), ref: 00BF7984

Strings

cdecl, xrefs: 00BF797B

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 35bcd4e17646bdbe1cd167a788f364bbd706c6224878c5290e53d7fbbc97ad1e
Instruction ID: ab4e1d951d4b9eb9c009f472006b5134e514ce9aa2c35f350f22b0bff04e18da
Opcode Fuzzy Hash: 35bcd4e17646bdbe1cd167a788f364bbd706c6224878c5290e53d7fbbc97ad1e
Instruction Fuzzy Hash: 0211033A200206BBDB259F34CC45E7E77E9FF95350B4080AAFA02C72A4EF719815C7A1

Function 00C27CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00C27D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00C27D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C27D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C0B7AD,00000000), ref: 00C27D6B

Part of subcall function 00BA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA9BB2

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 46bd4bfa5b22e35a6d5f2fecca9d6cccdf2e8ca2b52896285bc8a6aaff9d11da
Instruction ID: 88cb5d5b5c1e40bb104dec26143ca0ebfe2b784830b161148f69d874f6ee1a11
Opcode Fuzzy Hash: 46bd4bfa5b22e35a6d5f2fecca9d6cccdf2e8ca2b52896285bc8a6aaff9d11da
Instruction Fuzzy Hash: 0411DF31214625AFCB208F29EC84BAA3BA5AF45370F294724FC39C76F0D7309A11DB50

Function 00C25660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00C256BB
_wcslen.LIBCMT ref: 00C256CD
_wcslen.LIBCMT ref: 00C256D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C25816

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 35450aefe4fbd968376f0bef4c900463fbc65c36b0142a0619bb0b3009584549
Instruction ID: b95fca6c36e301dd958870a2a27a70388b8fc15f8d85943f07a4b967dc232b69
Opcode Fuzzy Hash: 35450aefe4fbd968376f0bef4c900463fbc65c36b0142a0619bb0b3009584549
Instruction Fuzzy Hash: 3C11D3716006289ADF20EF66EC85BFF77ACEF10760B504066F925D6581E7B0CA80CB64

Function 00BC1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a2258fa1fa6c4d2b8646b9670439abbf4b5e16d1c2f52440622476c39abeb5
Instruction ID: 1adb16a0a71406f63db34150a7fc75d557d0b003396830f98cf22e7a698cff83
Opcode Fuzzy Hash: 28a2258fa1fa6c4d2b8646b9670439abbf4b5e16d1c2f52440622476c39abeb5
Instruction Fuzzy Hash: 9B012CB2205A167EF621167C6CC1F6B669DDF423B8B3507BDF532611D6DB708C5051B0

Function 00BF1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00BF1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BF1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BF1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BF1A8A

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fbae3920d7537b2684180f632b19728b0dfd54a4bb3c8c257d0f659b37ed19d2
Instruction ID: 9ceb8fae89df4f0cff6bc5f06d2f32659bfb3c2df21297e755142070fdc040f9
Opcode Fuzzy Hash: fbae3920d7537b2684180f632b19728b0dfd54a4bb3c8c257d0f659b37ed19d2
Instruction Fuzzy Hash: 4E11393AD01219FFEB10DFA9CD85FADBBB8EB08750F200491EA10B7290D6716E50DB94

Function 00BFE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00BFE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00BFE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00BFE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00BFE24D

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 4eb76c80bde85f0a219f57173fe3c3f8f313ac7f198739a8b0651269729f79f0
Instruction ID: f89fb722459058045167ad635ad287bc112d37e8b50080059acd23c08f04a7db
Opcode Fuzzy Hash: 4eb76c80bde85f0a219f57173fe3c3f8f313ac7f198739a8b0651269729f79f0
Instruction Fuzzy Hash: 74110872904258BBD7119BA9DC45BBE7FECEB45321F184665F925D33A0E6B0C90487A0

Function 00BBD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00BBCFF9,00000000,00000004,00000000), ref: 00BBD218
GetLastError.KERNEL32 ref: 00BBD224
__dosmaperr.LIBCMT ref: 00BBD22B
ResumeThread.KERNEL32(00000000), ref: 00BBD249

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 33305cd9056e9859503658d79dc11d15f3a349aee2929b7dd18cd364e9d5e3c7
Instruction ID: 9e32554524b0241fcfeb6409a66c03617625da72d9012c0f4bc2f5997eeac38f
Opcode Fuzzy Hash: 33305cd9056e9859503658d79dc11d15f3a349aee2929b7dd18cd364e9d5e3c7
Instruction Fuzzy Hash: AB01D6364052057BCB215BA5DC45BFE7AE9DF81330F100299F925921E0EBB58901C7A0

Function 00C29EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00BA9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BA9BB2

GetClientRect.USER32(?,?), ref: 00C29F31
GetCursorPos.USER32(?), ref: 00C29F3B
ScreenToClient.USER32(?,?), ref: 00C29F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00C29F7A

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: b8add116e7b85ae823282f7f7d73080c2a95073148f42ac584df1ea93aef7911
Instruction ID: 0b28d71ac28376b0d3f05d04d396f9848e9975fdf0b4cc99100f02f62b25c8a0
Opcode Fuzzy Hash: b8add116e7b85ae823282f7f7d73080c2a95073148f42ac584df1ea93aef7911
Instruction Fuzzy Hash: 10115E3190012AABDB60DF98E985AEE77B8FF05311F000451F921E3950D734BB92DBA1

Function 00B9600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B9604C
GetStockObject.GDI32(00000011), ref: 00B96060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B9606A

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 5f67a6c09e6f377080c4bea8a0681a0349bd81117a28c99a1d2a681d4f3958a8
Instruction ID: 0bc174717c794602be2f267b11eab5de0d211994264c96b6f04ee094f13870c2
Opcode Fuzzy Hash: 5f67a6c09e6f377080c4bea8a0681a0349bd81117a28c99a1d2a681d4f3958a8
Instruction Fuzzy Hash: 2E116172501508BFEF264F949CD4FEEBBA9EF18794F040155FA1452120D7329C60DB90

Function 00BB3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00BB3B56

Part of subcall function 00BB3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00BB3AD2
Part of subcall function 00BB3AA3: ___AdjustPointer.LIBCMT ref: 00BB3AED

_UnwindNestedFrames.LIBCMT ref: 00BB3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00BB3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00BB3BA4

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 00af5686bcfaf775c2a3ce53718c40c7171a09d2adea251486a865479ac2f2d0
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: E6012932100148BBDF126E95CC42EFB7BE9FF48B54F044094FE4856121C772E961EBA0

Function 00BC3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00B913C6,00000000,00000000,?,00BC301A,00B913C6,00000000,00000000,00000000,?,00BC328B,00000006,FlsSetValue), ref: 00BC30A5
GetLastError.KERNEL32(?,00BC301A,00B913C6,00000000,00000000,00000000,?,00BC328B,00000006,FlsSetValue,00C32290,FlsSetValue,00000000,00000364,?,00BC2E46), ref: 00BC30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00BC301A,00B913C6,00000000,00000000,00000000,?,00BC328B,00000006,FlsSetValue,00C32290,FlsSetValue,00000000), ref: 00BC30BF

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 22a98468e9ab2925c81d8351371185ceee32624f969214be949e7a737310b100
Instruction ID: d2e289c2ac9441fc4afa68e3f3ec735ea213aca0a43dbe63c4fcb2a1f9d016cf
Opcode Fuzzy Hash: 22a98468e9ab2925c81d8351371185ceee32624f969214be949e7a737310b100
Instruction Fuzzy Hash: C501FC33311622ABC7314B79AC84F6F77D8EF05F61B548668F956E3140C721D901C6D0

Function 00BF7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00BF747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00BF7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00BF74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00BF74CA

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: eea32a155257a2ca89f2e540ff1bd29426e1dacb2d1fa9189daad099271857e2
Instruction ID: 3a6bde8ad3336e1ad8fb118b8610ec3916a09a60257fd3e423a98597a810eb2d
Opcode Fuzzy Hash: eea32a155257a2ca89f2e540ff1bd29426e1dacb2d1fa9189daad099271857e2
Instruction Fuzzy Hash: 29118EB12453199BE7309F14EC49BAA7BFCEB00B00F1085E9A616D7691DB70E908DB90

Function 00BFB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00BFACD3,?,00008000), ref: 00BFB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00BFACD3,?,00008000), ref: 00BFB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00BFACD3,?,00008000), ref: 00BFB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00BFACD3,?,00008000), ref: 00BFB126

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: ccd563167d51f58107006604eafe5a8aecf9cc0c078c8723b50ab866e5d9d1b8
Instruction ID: abb5ba49c82264e6f54ad5baf78ebad9305b6fdd6d141a4dbd4dfa45545ed979
Opcode Fuzzy Hash: ccd563167d51f58107006604eafe5a8aecf9cc0c078c8723b50ab866e5d9d1b8
Instruction Fuzzy Hash: 0D113931C11A2CE7CF10AFA4E9A9BFEBBB8FF09711F104085DA41B3581CB3096698B51

Function 00C27E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C27E33
ScreenToClient.USER32(?,?), ref: 00C27E4B
ScreenToClient.USER32(?,?), ref: 00C27E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C27E8A

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 983b06a36f2120cf42b6c65091330be761cadf67f8d83cd89cfe1e75e10f0530
Instruction ID: 0a05dc7dfd41b8fe1c5bf98f331616a5523bcd40ee0dac8596977c7567653b03
Opcode Fuzzy Hash: 983b06a36f2120cf42b6c65091330be761cadf67f8d83cd89cfe1e75e10f0530
Instruction Fuzzy Hash: 291143B9D0020AEFDB51CF98D884AEEBBF5FF08310F505156E915E2610D735AA55CF90

Function 00BF2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BF2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BF2DD6
GetCurrentThreadId.KERNEL32 ref: 00BF2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00BF2DE4

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 4e2201af38eae128f74cf6ff992467fffbc94ddc56686d6df44289c2dce44df0
Instruction ID: 9cfed1fb0c2625757101b28ebf80b1199216b94de2f92edd6ea85f217d3b508e
Opcode Fuzzy Hash: 4e2201af38eae128f74cf6ff992467fffbc94ddc56686d6df44289c2dce44df0
Instruction Fuzzy Hash: 1CE09271111628BBE7301B729C8EFFF7EACEF42BA1F400165F605D24809AA4C846C6F0

Function 00C28863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00BA9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BA9693
Part of subcall function 00BA9639: SelectObject.GDI32(?,00000000), ref: 00BA96A2
Part of subcall function 00BA9639: BeginPath.GDI32(?), ref: 00BA96B9
Part of subcall function 00BA9639: SelectObject.GDI32(?,00000000), ref: 00BA96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00C28887
LineTo.GDI32(?,?,?), ref: 00C28894
EndPath.GDI32(?), ref: 00C288A4
StrokePath.GDI32(?), ref: 00C288B2

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 7d13ad17a1e525de4dfa96f11872406eb02b1b95c5fa03e8a33989eaa877c22a
Instruction ID: 39c3afb5d22c765a0e4da14f979a2b446c5c0fca1c40f5612407468acf5122ee
Opcode Fuzzy Hash: 7d13ad17a1e525de4dfa96f11872406eb02b1b95c5fa03e8a33989eaa877c22a
Instruction Fuzzy Hash: 50F05E36046668FAEB225F94AC0AFCE3F59AF06711F088000FA11654E1C7B55622DFE5

Function 00BA98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00BA98CC
SetTextColor.GDI32(?,?), ref: 00BA98D6
SetBkMode.GDI32(?,00000001), ref: 00BA98E9
GetStockObject.GDI32(00000005), ref: 00BA98F1

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: dfc11b0847e847ced0fc1550c6358a81c112c382dca7ee9ee8b0037f6ba497d9
Instruction ID: 3206dd5ca1fb8cd4ddd87ab9e157be324eda02abeb7d88a999d4f09b38a0f536
Opcode Fuzzy Hash: dfc11b0847e847ced0fc1550c6358a81c112c382dca7ee9ee8b0037f6ba497d9
Instruction Fuzzy Hash: 13E09B31254680BEDB315B79FC49BDD3F60EB12336F048259F6F5544E1C7714651AB11

Function 00BF162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00BF1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00BF11D9), ref: 00BF163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00BF11D9), ref: 00BF1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00BF11D9), ref: 00BF164F

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: a72f42eb8d440480b87ac639136aab6008c2d45080fe11f7fea8915575122e33
Instruction ID: f96597f2fbed797ec6e0a7116386adee3547c758d388d69ae50bc1d98fb10b85
Opcode Fuzzy Hash: a72f42eb8d440480b87ac639136aab6008c2d45080fe11f7fea8915575122e33
Instruction Fuzzy Hash: B6E08631611211EBD7301FA49D4DB9E3BBCEF44791F144C48F345CA090D6344446C754

Function 00BED858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BED858
GetDC.USER32(00000000), ref: 00BED862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BED882
ReleaseDC.USER32(?), ref: 00BED8A3

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ead80dc47653dd0f20bba9c9ef9ed3090db6ae6c720976978baa051314bc7371
Instruction ID: 00f4fde927e780548967ff18cd04085514e1aae76e4d94372d3862962fb4811e
Opcode Fuzzy Hash: ead80dc47653dd0f20bba9c9ef9ed3090db6ae6c720976978baa051314bc7371
Instruction Fuzzy Hash: 44E01AB5810204DFCF619FA0D88876DBBF1FB08710F108059F81AE7650C7384902AF40

Function 00BED86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BED86C
GetDC.USER32(00000000), ref: 00BED876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BED882
ReleaseDC.USER32(?), ref: 00BED8A3

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c63b2c0fddd20979527a9f3fbae1fdbdbafdd12548a5ac2b0e8f7c82e556882d
Instruction ID: 1c30e495ad11ec13535eabedaa2edbf386000340c98aa7ea4748cb5a9bbf3906
Opcode Fuzzy Hash: c63b2c0fddd20979527a9f3fbae1fdbdbafdd12548a5ac2b0e8f7c82e556882d
Instruction Fuzzy Hash: C6E012B5C10200EFCF60AFA0D88876DBBF1FB08710B108049F81AE7A50CB385902AF80

Function 00C04D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B97620: _wcslen.LIBCMT ref: 00B97625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00C04ED4

Strings

*, xrefs: 00C04E10
LPT, xrefs: 00C04DFB

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: d4f4e3a1dcd69b4dffce2be348334b8ba0485ba9fbed526cf73ae17b05ebce92
Instruction ID: a42d8ffe18f4e2ff9c53f9e8332980509c04c087694f31c2f34704cb7c58e84b
Opcode Fuzzy Hash: d4f4e3a1dcd69b4dffce2be348334b8ba0485ba9fbed526cf73ae17b05ebce92
Instruction Fuzzy Hash: 259182B5A042059FCB18DF98C484EAABBF1FF44304F158099E51A9F3A2C731EE85CB90

Function 00BBE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00BBE30D

Strings

pow, xrefs: 00BBE2E5, 00BBE302

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: ebdab6ca711e2183ea04c92a23009ac4ad340a9d30f9c1481300689eff813a69
Instruction ID: f728110e329872580a9802bc3f9c6d63c8a49cc579c1c6c5dbfaaf55bb8c6ca6
Opcode Fuzzy Hash: ebdab6ca711e2183ea04c92a23009ac4ad340a9d30f9c1481300689eff813a69
Instruction Fuzzy Hash: 93514BB1A5C10297CB127714C941BFE2BE8EB40741F3489ECE4A6822B9DF74CC959E86

Function 00BAE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00BAE1B1

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: a936e8f60274808dfd06158a71d36b1694781099735a9f1a7399832156174665
Instruction ID: 326f62e52febf6ebc7863063281b53bc7030665f2a25bfed6c40919db8961454
Opcode Fuzzy Hash: a936e8f60274808dfd06158a71d36b1694781099735a9f1a7399832156174665
Instruction Fuzzy Hash: 3A51EF755043869FDB25DF69C481ABE7BE4EF66310F244099ECA19B290DB34DD42CBA0

Function 00BAF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00BAF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00BAF2BB

Strings

@, xrefs: 00BAF2AF

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 14034d88396d86c4dc415a5d6e10d52b6a12363e151db0f27b2215d4a46fc2fb
Instruction ID: af403ac4e002d351b63519ca75f71c56f3e479a51a8bfe237977e4e12e474c95
Opcode Fuzzy Hash: 14034d88396d86c4dc415a5d6e10d52b6a12363e151db0f27b2215d4a46fc2fb
Instruction Fuzzy Hash: 035137724187449BD720AF21DC86BAFBBF8FB85300F81889DF1D941195EB708569CB66

Function 00C15745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00C157E0
_wcslen.LIBCMT ref: 00C157EC

Strings

CALLARGARRAY, xrefs: 00C157E6, 00C157EB

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 89258f33c95d423725d89c90242233236eb1eb4cd449efd9a08fd0919fc2301f
Instruction ID: 002f1908e43e29954f39a908d599aa0ff559cc2e7224bb89c61e2ebf32dc4ffa
Opcode Fuzzy Hash: 89258f33c95d423725d89c90242233236eb1eb4cd449efd9a08fd0919fc2301f
Instruction Fuzzy Hash: 66418C71A40209DFDB14DFA9C8819FEBBF5FF9A324F104069E515A7291EB309E81DB90

Function 00C0D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C0D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C0D13A

Strings

|, xrefs: 00C0D10B

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 96be5f2024dbdee6a12144ff8c2b84baef0d332ff13290d844a6a3ead53a7cf0
Instruction ID: 3d3b1de9259ba2a8b4e79f2c6952b4368db3d3d19bfbc272d2c098136fcc2cda
Opcode Fuzzy Hash: 96be5f2024dbdee6a12144ff8c2b84baef0d332ff13290d844a6a3ead53a7cf0
Instruction Fuzzy Hash: 74311D71D00219ABCF15EFA5CC85AEE7FB9FF04350F100069F815A6166DB31AA56DB50

Function 00C2356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00C23621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C2365C

Strings

static, xrefs: 00C235BC

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 78dec9b6a785d275c0a2a3e89e91c5e9cca2b50f83ffbfc278a1c2d0e07354ba
Instruction ID: 51fc62df71d5106e049267137e8e85dfbd73eea927d5f82e817b54ed334e51d1
Opcode Fuzzy Hash: 78dec9b6a785d275c0a2a3e89e91c5e9cca2b50f83ffbfc278a1c2d0e07354ba
Instruction Fuzzy Hash: 56319071110654AEDB20DF28EC80FFB73ADFF48720F108619F9A997290DA35AD91D760

Function 00C24537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00C2461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C24634

Strings

', xrefs: 00C2458E

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 05b3da2e4537f0f3c8e75e0491fa6a397fe0d04cd120d1f84004e080e1c6be96
Instruction ID: afa0af8052c960a02420d673d60f4e05a9e97965203ca11f913a361674c40629
Opcode Fuzzy Hash: 05b3da2e4537f0f3c8e75e0491fa6a397fe0d04cd120d1f84004e080e1c6be96
Instruction Fuzzy Hash: B93139B4A003199FDF18CFA9D980BDA7BB5FF09300F14406AE904AB741D770AA41CF90

Function 00C231EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C2327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C23287

Strings

Combobox, xrefs: 00C23249

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 22decc1cb3c33d4cacb2057db9014f57b046d676013e503a54c906f96b306872
Instruction ID: 3280ec928110c0edf743311519a15827876cc9e7ff13957699183402eea837bd
Opcode Fuzzy Hash: 22decc1cb3c33d4cacb2057db9014f57b046d676013e503a54c906f96b306872
Instruction Fuzzy Hash: 3211E271300258BFEF21DE54EC80FBB3B6AEB98364F100124F928A7692D6759E518760

Function 00C23710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B9600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B9604C
Part of subcall function 00B9600E: GetStockObject.GDI32(00000011), ref: 00B96060
Part of subcall function 00B9600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B9606A

GetWindowRect.USER32(00000000,?), ref: 00C2377A
GetSysColor.USER32(00000012), ref: 00C23794

Strings

static, xrefs: 00C23757

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 218ea6a2b9cbb6e76d14557253d705e5e5c3f2bcdea5b14ae677ae5df15cee94
Instruction ID: 67cd85696d28256c7ffbc965580af5ed36e1d7609fa7c12085c0e03c73425735
Opcode Fuzzy Hash: 218ea6a2b9cbb6e76d14557253d705e5e5c3f2bcdea5b14ae677ae5df15cee94
Instruction Fuzzy Hash: 6B1159B2610219AFDF10DFA8DC85AEE7BB8FB08304F004524F965E2250D774E911DB50

Function 00C0CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C0CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C0CDA6

Strings

<local>, xrefs: 00C0CD66

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 1634ff44a925b87e20362cb41550769e171235ead0e82151bbded82bb03b1365
Instruction ID: 04e142739af7a517c72fd9b5a643e15817d5d0b0fbc16fda53c38c09efd69a66
Opcode Fuzzy Hash: 1634ff44a925b87e20362cb41550769e171235ead0e82151bbded82bb03b1365
Instruction Fuzzy Hash: 5611A071215731BAD7384B668CC9FE7BEA8EF127A4F00433AF119830C0E6609A55D6F0

Function 00C23429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00C234AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C234BA

Strings

edit, xrefs: 00C2348F

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: f071982b5bae7ffa6f36ff98f851c913bc8622ddf25ab5a791b432cc92e827be
Instruction ID: 56ca97956b7a9eadcc2f6b2996c8ed04438f56e31601270c23a11646f48249b1
Opcode Fuzzy Hash: f071982b5bae7ffa6f36ff98f851c913bc8622ddf25ab5a791b432cc92e827be
Instruction Fuzzy Hash: 9D11BF71100168ABEB22AE64EC84BAB3B6AEB05374F504364FA70939D0C779DE519B60

Function 00BF6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

CharUpperBuffW.USER32(?,?,?), ref: 00BF6CB6
_wcslen.LIBCMT ref: 00BF6CC2

Strings

STOP, xrefs: 00BF6CBC, 00BF6CC1

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 0d2093e43ba8db891f0db5cb09a76b26210698560454bc9162ff441848bad264
Instruction ID: c9499928a11322e2d635f27e474624c50f62a5a378ed6bb871ecf2fe7418b1d5
Opcode Fuzzy Hash: 0d2093e43ba8db891f0db5cb09a76b26210698560454bc9162ff441848bad264
Instruction Fuzzy Hash: AA01C032A1052E9BCB20AFFDDC809BF77F5EB6171071005B8EEA297195EB31D948C650

Function 00BF1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00BF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BF3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00BF1D4C

Strings

ComboBox, xrefs: 00BF1CEB
ListBox, xrefs: 00BF1D16

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 69f0256628c17f5f270dc6b01496ce4ac82d696f8b338d36d9d880e7a2ef1a64
Instruction ID: 2dfddc53e1bb51c5941ba75fc556bd721d4dfe4e1f8a09400e8c0811d3aea4ee
Opcode Fuzzy Hash: 69f0256628c17f5f270dc6b01496ce4ac82d696f8b338d36d9d880e7a2ef1a64
Instruction Fuzzy Hash: 0B01B579601218EB8F14EBA8CC559FE73F8EB46350B040DAEF932672D1EA31590C8660

Function 00BF1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00BF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BF3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00BF1C46

Strings

ComboBox, xrefs: 00BF1BE5
ListBox, xrefs: 00BF1C10

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 78a72a597d7df750c4921a704c0020bcb3dd4e94a7b3ebb0bcf7745201296e1b
Instruction ID: 7e59dc17675602b2d6b1f99f13bb401ffccc3689e84b30571fbc6aba0dae0c8a
Opcode Fuzzy Hash: 78a72a597d7df750c4921a704c0020bcb3dd4e94a7b3ebb0bcf7745201296e1b
Instruction Fuzzy Hash: 9201A77568110CA7CF14EBA8CDA5AFF77E8DB11340F1408ADFA1677281EA209E0CC6B5

Function 00BF1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00BF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BF3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00BF1CC8

Strings

ComboBox, xrefs: 00BF1C69
ListBox, xrefs: 00BF1C94

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d8da2ea676e5c28fa5c54135cd17b2adbee751b643d46bfb1d9cf28d9efa0a99
Instruction ID: e4e860d0983ea4c10384477770542fcd55d6e519de0a66c8f77827c541215fd2
Opcode Fuzzy Hash: d8da2ea676e5c28fa5c54135cd17b2adbee751b643d46bfb1d9cf28d9efa0a99
Instruction Fuzzy Hash: 1601D675A8021CA7CF14EBA9CE51AFE77E8DB11380F1408A9F91277281EA219F0CC671

Function 00BF1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99CB3: _wcslen.LIBCMT ref: 00B99CBD

Part of subcall function 00BF3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BF3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00BF1DD3

Strings

ComboBox, xrefs: 00BF1D75
ListBox, xrefs: 00BF1DA0

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 53350048a570c29de491937ee2fcec443018f84039d3baf8e919deaf7299d4e1
Instruction ID: 80ac9e43064924393e39c5db345fb2ab46e8403ba6a0417ac077aea9f0e4713f
Opcode Fuzzy Hash: 53350048a570c29de491937ee2fcec443018f84039d3baf8e919deaf7299d4e1
Instruction Fuzzy Hash: 5DF0A975A51218A7DF14E7A9CC95BFE77F8EB01750F040D79F922632C1DA60590C8264

Function 00C1747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C17493
_wcslen.LIBCMT ref: 00C174B9

Strings

3, 3, 16, 1, xrefs: 00C17483

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 1375b39b22bdec248a1c4b957e36e3343c2dbcd0adc872878baa784d47491807
Instruction ID: cab303f2035e217cd962494cbd8f998e50cf2444d8e3b93aa6945b80ba5e8337
Opcode Fuzzy Hash: 1375b39b22bdec248a1c4b957e36e3343c2dbcd0adc872878baa784d47491807
Instruction Fuzzy Hash: 6CE02B062042201593311279ACC19FF56D9DFCA7A0714192BF9C1C2267EBD4CED1A3A0

Function 00BF0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00BF0B23

Strings

Error allocating memory., xrefs: 00BF0B1C
AutoIt, xrefs: 00BF0B17

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 0a32a1fc0e96c113298785cab9539a62bcd0c46621584a1eb72fca1052787bed
Instruction ID: 4d6d70bcbdcd8250cab4dc47c07fedfaaf40a9ef8921f9a5d7b495cc3b287f29
Opcode Fuzzy Hash: 0a32a1fc0e96c113298785cab9539a62bcd0c46621584a1eb72fca1052787bed
Instruction Fuzzy Hash: AEE0D83124831826D22436947C43FDD7BC49F05F61F1004B6FB98558D38AE1649006EE

Function 00BB0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00BAF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00BB0D71,?,?,?,00B9100A), ref: 00BAF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00B9100A), ref: 00BB0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B9100A), ref: 00BB0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00BB0D7F

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 6dfaa1e5bcd4f2d4ce912f5979158ef7877fdc641848f9b1c964d8fee9d78d28
Instruction ID: f813a1e12caf5e04cfa49a8f53a30bc69f30864ead289743b41c7e47e483a219
Opcode Fuzzy Hash: 6dfaa1e5bcd4f2d4ce912f5979158ef7877fdc641848f9b1c964d8fee9d78d28
Instruction Fuzzy Hash: 82E06DB02103118BD731AFBDE4483AA7BF0AF00740F0489BDE882C6AA1DBF4E4458B91

Function 00C03017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00C0302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00C03044

Strings

aut, xrefs: 00C03038

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 316009f0687996d1eaaa3122172d073d2b05d97ef0b6364fec598dabbcdac24a
Instruction ID: 72a62bacf676a461cae11c837dd2ddb8de865da31a3f721c76d58b4d254fa783
Opcode Fuzzy Hash: 316009f0687996d1eaaa3122172d073d2b05d97ef0b6364fec598dabbcdac24a
Instruction Fuzzy Hash: EFD05EB6500328A7DB30A7A4AC4EFCF3A6CDB04751F4002A1BA55E2091DEF49985CAD0

Function 00BED21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00BED220

Strings

X64, xrefs: 00BED2A8
%.3d, xrefs: 00BED22B

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: e2f0fd0c66f8c4c93fd4534dafd90ae8b1ddedc613a544d9db4658556fc0dd00
Instruction ID: 5e048cfea8ebc7b5b4ef3dad613fc5c12fe48cec8db01fcb1ac93ed61fe7156c
Opcode Fuzzy Hash: e2f0fd0c66f8c4c93fd4534dafd90ae8b1ddedc613a544d9db4658556fc0dd00
Instruction Fuzzy Hash: 88D01261808149E9CB5097E1DCC59BDB3FCAB09341F5084E2FA16A1050D764C5496B61

Function 00C22356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C2236C
PostMessageW.USER32(00000000), ref: 00C22373

Part of subcall function 00BFE97B: Sleep.KERNEL32 ref: 00BFE9F3

Strings

Shell_TrayWnd, xrefs: 00C22365

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6f701eb6cf2ea569ade8376a01ab9a21000bf174dfaab981c4e209fd98a0667f
Instruction ID: 4117a9a3b70484d2f0e5413ab31277d1b8a433de02fd0876abdbbd589b0e3019
Opcode Fuzzy Hash: 6f701eb6cf2ea569ade8376a01ab9a21000bf174dfaab981c4e209fd98a0667f
Instruction Fuzzy Hash: B9D0A932390300BAE274A7309C4FFCE66049B04B00F404A22B701AB0E0C8F0A8468A18

Function 00C22322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C2232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C2233F

Part of subcall function 00BFE97B: Sleep.KERNEL32 ref: 00BFE9F3

Strings

Shell_TrayWnd, xrefs: 00C22325

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6a4175071132f1e55c7af80b9a394f460c97026c0e1493000545d6b95df69d89
Instruction ID: c17b67f9324a31c3b68c5b32287e7a1b9a65b61e5bc44fae4f0576ae09cc5984
Opcode Fuzzy Hash: 6a4175071132f1e55c7af80b9a394f460c97026c0e1493000545d6b95df69d89
Instruction Fuzzy Hash: C9D022363A4300B7E274B730DC4FFDE7A049B00B00F004A22B705AB0E0C8F0E846CA14

Function 00BCBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00BCBE93
GetLastError.KERNEL32 ref: 00BCBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BCBEFC

Memory Dump Source

Source File: 00000000.00000002.2121707893.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2121681949.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C2C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121801236.0000000000C52000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121862471.0000000000C5C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2121885227.0000000000C64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 87b7f035214cbd65d79b4eed41a9d97658311e100f62d1efe69b96098876017b
Instruction ID: 0d878cc2ab85293b481917ac5ff10d92b313b2a0def41edb3acda32fe28610fc
Opcode Fuzzy Hash: 87b7f035214cbd65d79b4eed41a9d97658311e100f62d1efe69b96098876017b
Instruction Fuzzy Hash: 0C41AE35600216ABDF218FA4CC86FBE7BE5EF41720F1441ADF9599B2A1DB308D05CB61

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2275695905.0000019194403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2275695905.0000019194403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2275594882.000005763A003000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2275594882.000005763A003000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2275695905.0000019194403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: +://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2275594882.000005763A003000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: +://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2275695905.0000019194403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: +www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2278169001.000001E2E4A47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2211355361.000001E2E1C45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2213149112.000001E2DBCD7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2212231791.000001E2E07B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2212231791.000001E2E07B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2212823255.000001E2E05B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2213686231.000001E2DBC37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2300759287.000001E2E44E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2278169001.000001E2E4A47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2211355361.000001E2E1C1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291424406.000001E2E1C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2211355361.000001E2E1C1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291424406.000001E2E1C26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2211355361.000001E2E1C45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2213149112.000001E2DBCD7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2212231791.000001E2E07B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2275695905.0000019194403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2212231791.000001E2E07B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2212823255.000001E2E05B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2213686231.000001E2DBC37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3319370426.0000022C7C903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3320151971.000002917B00C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3319370426.0000022C7C903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3320151971.000002917B00C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2293924713.000001E2DAD52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3319370426.0000022C7C903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3320151971.000002917B00C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000002.3320151971.000002917B00C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/&6 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000002.3320151971.000002917B00C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/&6 equals www.twitter.com (Twitter)
Source: firefox.exe, 00000012.00000002.3320151971.000002917B00C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/&6 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2275695905.0000019194403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2278169001.000001E2E4A47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2275695905.0000019194403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2283647437.000001E2E3EDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300759287.000001E2E44E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2275695905.0000019194403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2275695905.0000019194403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278169001.000001E2E4A47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2283647437.000001E2E3EDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2210480282.000001E2E3EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278712927.000001E2E3EDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2275695905.0000019194403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.5:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49995 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49994 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_14212507-c320-4cdb-99ef-76518336a749.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_14212507-c320-4cdb-99ef-76518336a749.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre