Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1541742
MD5:	4237dc911607c252913c1aaa104b0a00
SHA1:	df404d3dc9270c874a22bf18fefaa912da437caf
SHA256:	054c586eec5767c6ebab30c217b5b91a061b705ef75740b8449cd68bed47df39
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 1080 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 4237DC911607C252913C1AAA104B0A00)

taskkill.exe (PID: 5644 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6584 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4352 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4984 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4320 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 3176 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7120 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5972 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4196 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3441bc3-2fa6-4d7a-9d02-45c0be3c048a} 5972 "\\.\pipe\gecko-crash-server-pipe.5972" 1a3f4f6db10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6572 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2996 -parentBuildID 20230927232528 -prefsHandle 4176 -prefMapHandle 4172 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f741068d-6997-4c3a-8132-9ca401b21f94} 5972 "\\.\pipe\gecko-crash-server-pipe.5972" 1a388203810 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7488 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5072 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5056 -prefMapHandle 5052 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1d86d31-3579-4dc9-bb9d-213b448bd290} 5972 "\\.\pipe\gecko-crash-server-pipe.5972" 1a3f4f6e110 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 1080	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_001CEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_001CEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001CED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_001CED6A

Source: C:\Users\user\Desktop\file.exe

0_2_001CEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001BAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_001BAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_001E9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2025276691.0000000000212000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ec5d2360-d
Source: file.exe, 00000000.00000000.2025276691.0000000000212000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_19a49270-a
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a046734a-d
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_658fef9a-8

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000248A96C2377 NtQuerySystemInformation,		17_2_00000248A96C2377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000248A96EAFB2 NtQuerySystemInformation,		17_2_00000248A96EAFB2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001BD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_001BD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_001B1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001BE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_001BE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0015BF40	0_2_0015BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C2046	0_2_001C2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00158060	0_2_00158060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B8298	0_2_001B8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0018E4FF	0_2_0018E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0018676B	0_2_0018676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E4873	0_2_001E4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0017CAA0	0_2_0017CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0015CAF0	0_2_0015CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0016CC39	0_2_0016CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00186DD9	0_2_00186DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0016B119	0_2_0016B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001591C0	0_2_001591C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00171394	0_2_00171394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00171706	0_2_00171706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0017781B	0_2_0017781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00157920	0_2_00157920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0016997D	0_2_0016997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001719B0	0_2_001719B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00177A4A	0_2_00177A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00171C77	0_2_00171C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00177CA7	0_2_00177CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001DBE44	0_2_001DBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00189EEE	0_2_00189EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00171F32	0_2_00171F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000248A96C2377	17_2_00000248A96C2377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000248A96EAFB2	17_2_00000248A96EAFB2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000248A96EAFF2	17_2_00000248A96EAFF2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000248A96EB6DC	17_2_00000248A96EB6DC

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00170A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0016F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00159CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@66/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001C37B5 GetLastError,FormatMessageW,

0_2_001C37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B10BF AdjustTokenPrivileges,CloseHandle,		0_2_001B10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_001B16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001C51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001C51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001BD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_001BD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001C648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_001C648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001542A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001542A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3660:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2259386156.000001A38E37C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2259386156.000001A38E37C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2259386156.000001A38E37C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2259386156.000001A38E37C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2232226792.000001A38F3B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2214531353.000001A38F3B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.2259386156.000001A38E37C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2259386156.000001A38E37C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2259386156.000001A38E37C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2259386156.000001A38E37C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2259386156.000001A38E37C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3441bc3-2fa6-4d7a-9d02-45c0be3c048a} 5972 "\\.\pipe\gecko-crash-server-pipe.5972" 1a3f4f6db10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2996 -parentBuildID 20230927232528 -prefsHandle 4176 -prefMapHandle 4172 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f741068d-6997-4c3a-8132-9ca401b21f94} 5972 "\\.\pipe\gecko-crash-server-pipe.5972" 1a388203810 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5072 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5056 -prefMapHandle 5052 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1d86d31-3579-4dc9-bb9d-213b448bd290} 5972 "\\.\pipe\gecko-crash-server-pipe.5972" 1a3f4f6e110 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3441bc3-2fa6-4d7a-9d02-45c0be3c048a} 5972 "\\.\pipe\gecko-crash-server-pipe.5972" 1a3f4f6db10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2996 -parentBuildID 20230927232528 -prefsHandle 4176 -prefMapHandle 4172 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f741068d-6997-4c3a-8132-9ca401b21f94} 5972 "\\.\pipe\gecko-crash-server-pipe.5972" 1a388203810 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5072 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5056 -prefMapHandle 5052 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1d86d31-3579-4dc9-bb9d-213b448bd290} 5972 "\\.\pipe\gecko-crash-server-pipe.5972" 1a3f4f6e110 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2182596117.000001A389B1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdb source: firefox.exe, 0000000E.00000003.2175185835.000001A385595000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2173130996.000001A38558F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2172260125.000001A385592000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2174641680.000001A385590000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2182596117.000001A389B1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2180172211.000001A385595000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: ktmw32.pdbGCTL source: firefox.exe, 0000000E.00000003.2175185835.000001A385595000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2173130996.000001A38558F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2172260125.000001A385592000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2174641680.000001A385590000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2180172211.000001A385595000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001542DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00170A76 push ecx; ret

0_2_00170A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0016F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0016F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_001E1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-98195

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_00000248A96C2377 rdtsc

17_2_00000248A96C2377

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_001BDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0018C2A2 FindFirstFileExW,	0_2_0018C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C68EE FindFirstFileW,FindClose,	0_2_001C68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_001C698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001BD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001BD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001C9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001C979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_001C9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_001C5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001542DE

Source: firefox.exe, 00000010.00000002.3294954162.000001A4D7100000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: firefox.exe, 00000010.00000002.3294954162.000001A4D7100000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3294301853.00000248A9750000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: firefox.exe, 00000010.00000002.3290344363.000001A4D6C2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: firefox.exe, 00000011.00000002.3294301853.00000248A9750000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: firefox.exe, 00000010.00000002.3290344363.000001A4D6C54000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3289248324.00000248A8E5A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3293420228.000001DF5E100000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000E.00000003.2257465966.000001A3FE1BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3294058683.000001A4D7017000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000011.00000002.3294301853.00000248A9750000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWk
Source: firefox.exe, 00000012.00000002.3288884495.000001DF5DCCA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW,
Source: firefox.exe, 00000010.00000002.3294954162.000001A4D7100000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3294301853.00000248A9750000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_00000248A96C2377 rdtsc

17_2_00000248A96C2377

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001CEAA2 BlockInput,

0_2_001CEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00182622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00182622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001542DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00174CE8 mov eax, dword ptr fs:[00000030h]

0_2_00174CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_001B0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00182622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00182622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0017083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0017083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001709D5 SetUnhandledExceptionFilter,	0_2_001709D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00170C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00170C21

Source: C:\Users\user\Desktop\file.exe

0_2_001B1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00192BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00192BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001BB226 SendInput,keybd_event,

0_2_001BB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001D22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_001D22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_001B0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_001B1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2172892418.000001A389B38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00170698 cpuid

0_2_00170698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001C8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_001C8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001AD27A GetUserNameW,

0_2_001AD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0018B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0018B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001542DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 1080, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 1080, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_001D1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_001D1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://screenshots.firefox.com	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
http://exslt.org/common	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.251.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.65	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.129.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	216.58.206.78	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.184.238	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.193.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4	firefox.exe, 0000000E.00000003.2245063416.000001A38A07D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000E.00000003.2245063416.000001A38A07D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3290345913.00000248A91C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3290744122.000001DF5E0C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2276239475.000001A387546000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2157367057.000001A38774F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2155808934.000001A38644A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2227506458.000001A3878FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2246509869.000001A3875F4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2101838690.000001A38D91D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 0000000E.00000003.2103555427.000001A3FE0AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3291510944.000001A4D6FC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3290345913.00000248A91E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3293788315.000001DF5E303000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 0000000E.00000003.2261853553.000001A3F4FDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3291510944.000001A4D6F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3290345913.00000248A9186000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3290744122.000001DF5E08F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2291901870.000001A38DBC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222774916.000001A38DBC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242468804.000001A38DBC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264488350.000001A38DBC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2236744149.000001A38DBC9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2106189720.000001A387A67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2215898726.000001A38D7E0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2271209860.000001A3872AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250956539.000001A3872E4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com	firefox.exe, 0000000E.00000003.2261086276.000001A3FE9B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2262646504.000001A390B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2069807698.000001A385A6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2069515665.000001A385A38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2069351593.000001A385A1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2070007037.000001A385A8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2069191374.000001A385800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2069672638.000001A385A53000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2227506458.000001A3878C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256073263.000001A3878C8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2259386156.000001A38E37C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2216788265.000001A38D729000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2244363795.000001A38D815000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2069807698.000001A385A6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2069515665.000001A385A38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2069351593.000001A385A1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2115543584.000001A387684000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2113369742.000001A387684000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2116857759.000001A387684000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2118121271.000001A387684000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2173763787.000001A387684000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2070007037.000001A385A8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2069191374.000001A385800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271021806.000001A387581000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2247034720.000001A387580000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2069672638.000001A385A53000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2069807698.000001A385A6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2069515665.000001A385A38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2069351593.000001A385A1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2069191374.000001A385800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2069672638.000001A385A53000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://exslt.org/sets	firefox.exe, 0000000E.00000003.2103555427.000001A3FE08A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257634638.000001A3FE08A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2293482734.000001A3861EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2214263394.000001A38FD31000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2255186062.000001A3862F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2291901870.000001A38DBC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222774916.000001A38DBC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242468804.000001A38DBC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264488350.000001A38DBC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2236744149.000001A38DBC9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2259386156.000001A38E37C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://exslt.org/common	firefox.exe, 0000000E.00000003.2103555427.000001A3FE08A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257634638.000001A3FE08A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2236744149.000001A38DBC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2215898726.000001A38D7E0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2257465966.000001A3FE1BF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://exslt.org/dates-and-times	firefox.exe, 0000000E.00000003.2103555427.000001A3FE05B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2258349381.000001A3FE05B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000E.00000003.2271814526.000001A3867D6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.2081221764.000001A3852DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2200490367.000001A3852DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2172683916.000001A3852DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2156505033.000001A3852DF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 00000012.00000002.3290744122.000001DF5E00C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2155532814.000001A38645B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2254466866.000001A38666E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2215898726.000001A38D7E0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2245638535.000001A38868D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267836731.000001A388697000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000E.00000003.2243835566.000001A38D861000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3290345913.00000248A91C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3290744122.000001DF5E0C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2155532814.000001A38645B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2270763246.000001A387C32000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://amazon.com	firefox.exe, 0000000E.00000003.2245063416.000001A38A07D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2227506458.000001A3878C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256073263.000001A3878C8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2262049184.000001A390BFE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2252556891.000001A387196000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 0000000E.00000003.2103555427.000001A3FE0AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3291510944.000001A4D6FC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3290345913.00000248A91E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3293788315.000001DF5E303000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 0000000E.00000003.2103555427.000001A3FE0AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3291510944.000001A4D6FC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3290345913.00000248A91E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3293788315.000001DF5E303000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2257465966.000001A3FE1DF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2271209860.000001A3872AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267048611.000001A389050000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2292428468.000001A389050000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3290345913.00000248A9112000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3290744122.000001DF5E013000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2215898726.000001A38D7E0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000011.00000002.3293009934.00000248A92E0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/Z	firefox.exe, 0000000E.00000003.2305132305.000007A792803000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2216788265.000001A38D729000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2236744149.000001A38DB9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289717850.000001A38DB9A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2196745593.000001A387653000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2081620895.000001A386D36000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2101838690.000001A38D918000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2207944660.000001A38779E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2117651590.000001A3874B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2080737422.000001A386D13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2101538098.000001A38D99A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2224739031.000001A3892F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2297329603.000001A387417000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2294719696.000001A3860BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2105148160.000001A3882D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2081620895.000001A386D30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2305347900.000001A38741A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225561833.000001A389253000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245638535.000001A3886B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2104244608.000001A3883A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2220348626.000001A385FC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2119886347.000001A3877A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2150029049.000001A387981000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2155838848.000001A38779E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2175079016.000001A3873CE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.openh264.org/	firefox.exe, 0000000E.00000003.2257465966.000001A3FE1BF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2249855749.000001A38D73A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2216788265.000001A38D73A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2271814526.000001A3867D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2238846091.000001A38D79C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2271814526.000001A3867D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2238846091.000001A38D79C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2236744149.000001A38DB9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289717850.000001A38DB9A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2101838690.000001A38D91D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2244363795.000001A38D815000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2106189720.000001A387A67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2238660720.000001A38DB53000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2244363795.000001A38D815000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2250821063.000001A3872EF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3290765526.000001A4D6D50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3293289511.00000248A9680000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3293549576.000001DF5E200000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2268890625.000001A3883BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2104244608.000001A3883A8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2155532814.000001A38645B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
216.58.206.78	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541742
Start date and time:	2024-10-25 04:55:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@66/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 40 Number of non-executed functions: 311
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 34.208.54.237, 52.13.186.250, 44.231.229.39, 142.250.185.110, 2.22.61.56, 2.22.61.59, 142.250.184.238, 142.250.186.42, 216.58.206.74
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
22:56:10	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	http://ylh2qh022.spreadsheetninjas.com/q3bCCwDV?sub1=ed10U&keyword=rbraley@avitusgroup.com&sub2=xelosv.nl	Get hash	malicious	Porn Scam	Browse	157.240.253.35
	http://scansourcce.com/	Get hash	malicious	Unknown	Browse	157.240.0.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.253.35
	http://elliottconnie.com/	Get hash	malicious	Unknown	Browse	157.240.253.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	33.232.12.118
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	http://elliottconnie.com/	Get hash	malicious	Unknown	Browse	34.149.120.3
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Unknown	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	http://toungeassociates-sharepoint.com	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	http://scansourcce.com/	Get hash	malicious	Unknown	Browse	151.101.2.137
	file.exe	Get hash	malicious	Unknown	Browse	151.101.1.91
	http://elliottconnie.com/	Get hash	malicious	Unknown	Browse	199.232.210.84
ATGS-MMD-ASUS	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	33.232.12.118
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	http://elliottconnie.com/	Get hash	malicious	Unknown	Browse	34.149.120.3
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ff3da076-613a-4f5d-a016-a306fc15f415.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.177778688603099
Encrypted:	false
SSDEEP:	192:BKMXgCdcbhbVbTbfbRbObtbyEl7nUr9JA6wnSrDtTkd/Sb:BPVcNhnzFSJ0r4jnSrDhkd/i
MD5:	D039E01AD663520FC450A6C6C5856ED6
SHA1:	C3C4A5025275BAB45774064A7F0DBEF07E83E3E4
SHA-256:	9741F3B9A4EE7E48B609FFF69BB6DDA903B2724610B3DDA8F79935BCF25862E7
SHA-512:	C8B18D280567A97BEB753990D661E82D7415EB22609324A3AC30D3FB382312B4F69F9752093B49D08CDA49972AD398DEBE2F104AA21770E9BBB0C6AF79DCD412
Malicious:	false
Preview:	{"type":"uninstall","id":"ff3da076-613a-4f5d-a016-a306fc15f415","creationDate":"2024-10-25T04:29:44.584Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ff3da076-613a-4f5d-a016-a306fc15f415.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.177778688603099
Encrypted:	false
SSDEEP:	192:BKMXgCdcbhbVbTbfbRbObtbyEl7nUr9JA6wnSrDtTkd/Sb:BPVcNhnzFSJ0r4jnSrDhkd/i
MD5:	D039E01AD663520FC450A6C6C5856ED6
SHA1:	C3C4A5025275BAB45774064A7F0DBEF07E83E3E4
SHA-256:	9741F3B9A4EE7E48B609FFF69BB6DDA903B2724610B3DDA8F79935BCF25862E7
SHA-512:	C8B18D280567A97BEB753990D661E82D7415EB22609324A3AC30D3FB382312B4F69F9752093B49D08CDA49972AD398DEBE2F104AA21770E9BBB0C6AF79DCD412
Malicious:	false
Preview:	{"type":"uninstall","id":"ff3da076-613a-4f5d-a016-a306fc15f415","creationDate":"2024-10-25T04:29:44.584Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.919954555189404
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNAOZ9cxE:8S+OVPUFRbOdwNIOdYpjvY1Q6LIe8P
MD5:	8AD27B6CF944DFA3F0113432D8DAE65C
SHA1:	E51743C8EA6CF830BA0AFC5FCCCA9E95B456554B
SHA-256:	D44E9E821D8CE0F0C51D735C9D556B6549F786FD82E89F79CC47425BD8AA1B72
SHA-512:	CFF930C129E551EE7CFF8CC141C67E5C2D990B561DD3412244B0B9628A3EC642E322AD80309A5E37514FBDB68E29157CBFCC1B6D9FFD1901805640FF2525A766
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.919954555189404
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNAOZ9cxE:8S+OVPUFRbOdwNIOdYpjvY1Q6LIe8P
MD5:	8AD27B6CF944DFA3F0113432D8DAE65C
SHA1:	E51743C8EA6CF830BA0AFC5FCCCA9E95B456554B
SHA-256:	D44E9E821D8CE0F0C51D735C9D556B6549F786FD82E89F79CC47425BD8AA1B72
SHA-512:	CFF930C129E551EE7CFF8CC141C67E5C2D990B561DD3412244B0B9628A3EC642E322AD80309A5E37514FBDB68E29157CBFCC1B6D9FFD1901805640FF2525A766
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07331351347327941
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiB:DLhesh7Owd4+ji
MD5:	8C8646CFB0144AA33D92FBF79AA18AD1
SHA1:	B7E0EC09CD1987CDF1265F174DE8F5704169E42F
SHA-256:	5F0CDCE19D611B8B71EEC380B5E969C2C3B9C36372727D089E5215460B6368DF
SHA-512:	6A0AA9539E6BAE1662ABF3C6C2B8CCB38734CEA1C46599DD7611D3EA5D8C82680464CD6156286FA54B652C9BACE84C64511F8361F8C675E0C66F1722DEBB7C39
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035455806264726504
Encrypted:	false
SSDEEP:	3:GtlstFPZLUL3Pj/GLLviltlstFPZLUL3Pj/GLLvXL89//alEl:GtWtfGDtWtfG2L89XuM
MD5:	3FC8790A0EA697BB62C73CEFE911EF0A
SHA1:	8CD26B9E3F85AC981A072E00F7179D8998779A1E
SHA-256:	988004AB9B7417310ECC7E4278F302750F62FC53E5B5F8A3D38CD6FB8E5C6B2D
SHA-512:	D07EAE682DFA5967F1EA893A1BAEC0DF43C27717F81FE114DCA9F92818678B45550A8063C57817881ECF70211B688E4C29B2B68275DEAE1B1F47F6964F4C5EFA
Malicious:	false
Preview:	..-......................h..[.q.....jF...c..k.x..-......................h..[.q.....jF...c..k.x........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.039920253262097694
Encrypted:	false
SSDEEP:	3:Ol1mb/cqjly4biXil8rEXsxdwhml8XW3R2:KkzHPiyl8dMhm93w
MD5:	2B38A14E9FA96D3C586D844AFABF7D2E
SHA1:	DA210FF67E51B33CF0191920212AB34AA1641ACD
SHA-256:	CBC148B07A82599A813D3647E375DB28A4BBC6E67A2CCDB0ED8FA9A7540741D8
SHA-512:	CF3283D789492DD7E2835B3B5592E781E2EB919E97CAA466CB2D2AD6C1A0313432C401874493BDB1A8569F19B4087D41E96699F5C4AAD15BF7067BF047C963EE
Malicious:	false
Preview:	7....-..............jF....0...?............jF..h..q.[................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	modified
Size (bytes):	13187
Entropy (8bit):	5.4784262398169306
Encrypted:	false
SSDEEP:	192:cnPOeRnLYbBp6vJ0aX+C6SEXKklNoR5RHWNBw8d0Sl:ODeSJU5ZvwHEwP0
MD5:	33CB59C44E7A27EEEED8F87EEBB421AC
SHA1:	E0BF8ADB8912CEB5AFF791B9058B3C27110E557B
SHA-256:	9129DF704D3B5BD2520814821C278CC62DC052C33202336238C0C8E15B070A13
SHA-512:	529466A68522699AE5397C0444802BE0C4FDDD57E4739CEBB591531CAA327F8B99E2981A301C96AD0634AA2A1E24444714C2516FE2FC0F05B0B985EC33196D7D
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729830555);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729830555);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729830555);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172983

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.4784262398169306
Encrypted:	false
SSDEEP:	192:cnPOeRnLYbBp6vJ0aX+C6SEXKklNoR5RHWNBw8d0Sl:ODeSJU5ZvwHEwP0
MD5:	33CB59C44E7A27EEEED8F87EEBB421AC
SHA1:	E0BF8ADB8912CEB5AFF791B9058B3C27110E557B
SHA-256:	9129DF704D3B5BD2520814821C278CC62DC052C33202336238C0C8E15B070A13
SHA-512:	529466A68522699AE5397C0444802BE0C4FDDD57E4739CEBB591531CAA327F8B99E2981A301C96AD0634AA2A1E24444714C2516FE2FC0F05B0B985EC33196D7D
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729830555);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729830555);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729830555);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172983

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.343920549045389
Encrypted:	false
SSDEEP:	48:GUpOxXPqJkr5CnRcoegZ3erjxix4Jwc3zBtb:A8k5ORFTJRx4mcP
MD5:	C621F5E88DA42D46632DA7CBA58BDD1D
SHA1:	35C85BEFDDB69551B46FC15585605F339CCD2288
SHA-256:	A5482B3BCFD23C884767602431BFF56227C06D51254796949F57768C9D854A09
SHA-512:	991BF4171B6BD348F37393039F3825EA1910817A44BAD4C50534947155B87940A2E329D5B333B2B58D0CFDDAF92B822CFB242BCC5B179D87C03719E46924A5BB
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{1cd48b87-1677-41bb-af8b-a510681405fd}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1729830559810,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P24183...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...32966,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.343920549045389
Encrypted:	false
SSDEEP:	48:GUpOxXPqJkr5CnRcoegZ3erjxix4Jwc3zBtb:A8k5ORFTJRx4mcP
MD5:	C621F5E88DA42D46632DA7CBA58BDD1D
SHA1:	35C85BEFDDB69551B46FC15585605F339CCD2288
SHA-256:	A5482B3BCFD23C884767602431BFF56227C06D51254796949F57768C9D854A09
SHA-512:	991BF4171B6BD348F37393039F3825EA1910817A44BAD4C50534947155B87940A2E329D5B333B2B58D0CFDDAF92B822CFB242BCC5B179D87C03719E46924A5BB
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{1cd48b87-1677-41bb-af8b-a510681405fd}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1729830559810,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P24183...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...32966,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.343920549045389
Encrypted:	false
SSDEEP:	48:GUpOxXPqJkr5CnRcoegZ3erjxix4Jwc3zBtb:A8k5ORFTJRx4mcP
MD5:	C621F5E88DA42D46632DA7CBA58BDD1D
SHA1:	35C85BEFDDB69551B46FC15585605F339CCD2288
SHA-256:	A5482B3BCFD23C884767602431BFF56227C06D51254796949F57768C9D854A09
SHA-512:	991BF4171B6BD348F37393039F3825EA1910817A44BAD4C50534947155B87940A2E329D5B333B2B58D0CFDDAF92B822CFB242BCC5B179D87C03719E46924A5BB
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{1cd48b87-1677-41bb-af8b-a510681405fd}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1729830559810,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P24183...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...32966,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.030644732477612
Encrypted:	false
SSDEEP:	96:yc6MTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:JTEr5NX0z3DhRe
MD5:	91BD3F2B82D8B7F704D70D3079CA936A
SHA1:	535C2638AEE031590235219A73355200F15E98FE
SHA-256:	4955D42A4A9C647A4DBC6B33D91005F2E0E1860E5EE594516944F8E8B3B6A062
SHA-512:	4051FD76999EB658109643CBD0C8D7672CB6765BDB25F81DA152F4B685D02EBD7420A4B860B372E77C1C6F5AF04ECDFF46E995C1716B7F3684130284D212853F
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-25T04:28:59.586Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.030644732477612
Encrypted:	false
SSDEEP:	96:yc6MTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:JTEr5NX0z3DhRe
MD5:	91BD3F2B82D8B7F704D70D3079CA936A
SHA1:	535C2638AEE031590235219A73355200F15E98FE
SHA-256:	4955D42A4A9C647A4DBC6B33D91005F2E0E1860E5EE594516944F8E8B3B6A062
SHA-512:	4051FD76999EB658109643CBD0C8D7672CB6765BDB25F81DA152F4B685D02EBD7420A4B860B372E77C1C6F5AF04ECDFF46E995C1716B7F3684130284D212853F
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-25T04:28:59.586Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584642519148706
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	4237dc911607c252913c1aaa104b0a00
SHA1:	df404d3dc9270c874a22bf18fefaa912da437caf
SHA256:	054c586eec5767c6ebab30c217b5b91a061b705ef75740b8449cd68bed47df39
SHA512:	0b513bf72f56cb526b1a276e32840207743ae59a45c9f7ac80d54618b1e10908967b0858de1315bb9aac91ea52946ed27d220fa9ba2b05e8666c6cd3acef66ed
SSDEEP:	12288:mqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Tf:mqDEvCTbMWu7rQYlBQcBiT6rprG8abf
TLSH:	E8159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671B065E [Fri Oct 25 02:45:50 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F52C4F750C3h
jmp 00007F52C4F749CFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F52C4F74BADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F52C4F74B7Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F52C4F7776Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F52C4F777B8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F52C4F777A1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	0df7fe6f63ed43938623cafd0fc490fb	False	0.31566455696202533	data	5.372288807701839	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 04:56:03.858997107 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 04:56:03.859034061 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 25, 2024 04:56:03.860562086 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 04:56:03.864875078 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 04:56:03.864898920 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 25, 2024 04:56:04.487931967 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 25, 2024 04:56:04.492539883 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 04:56:04.501353025 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 04:56:04.501365900 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 25, 2024 04:56:04.501461029 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 04:56:04.501555920 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 25, 2024 04:56:04.501679897 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 25, 2024 04:56:04.738984108 CEST	49712	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:04.739013910 CEST	443	49712	216.58.206.78	192.168.2.5
Oct 25, 2024 04:56:04.739800930 CEST	49712	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:04.741302967 CEST	49712	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:04.741312981 CEST	443	49712	216.58.206.78	192.168.2.5
Oct 25, 2024 04:56:04.870667934 CEST	49713	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:04.870697975 CEST	443	49713	216.58.206.78	192.168.2.5
Oct 25, 2024 04:56:04.877068996 CEST	49713	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:04.881345987 CEST	49713	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:04.881357908 CEST	443	49713	216.58.206.78	192.168.2.5
Oct 25, 2024 04:56:04.899615049 CEST	49714	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:04.904959917 CEST	80	49714	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:04.905039072 CEST	49714	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:04.905164003 CEST	49714	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:04.910465956 CEST	80	49714	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:05.503504038 CEST	80	49714	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:05.555754900 CEST	49714	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:05.614700079 CEST	443	49712	216.58.206.78	192.168.2.5
Oct 25, 2024 04:56:05.615425110 CEST	443	49712	216.58.206.78	192.168.2.5
Oct 25, 2024 04:56:05.616200924 CEST	49712	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:05.616219044 CEST	443	49712	216.58.206.78	192.168.2.5
Oct 25, 2024 04:56:05.621078014 CEST	49712	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:05.621090889 CEST	443	49712	216.58.206.78	192.168.2.5
Oct 25, 2024 04:56:05.621165991 CEST	49712	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:05.621263027 CEST	443	49712	216.58.206.78	192.168.2.5
Oct 25, 2024 04:56:05.629717112 CEST	49712	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:05.630409956 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:05.630501032 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:05.630642891 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:05.631969929 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:05.632019997 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:05.754451990 CEST	443	49713	216.58.206.78	192.168.2.5
Oct 25, 2024 04:56:05.754554033 CEST	49713	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:05.757677078 CEST	443	49713	216.58.206.78	192.168.2.5
Oct 25, 2024 04:56:05.757791042 CEST	49713	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:05.877454042 CEST	49713	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:05.877480030 CEST	443	49713	216.58.206.78	192.168.2.5
Oct 25, 2024 04:56:05.877578020 CEST	49713	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:05.877923012 CEST	49716	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:05.877964020 CEST	443	49716	216.58.206.78	192.168.2.5
Oct 25, 2024 04:56:05.878068924 CEST	443	49713	216.58.206.78	192.168.2.5
Oct 25, 2024 04:56:05.878489017 CEST	49713	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:05.878607035 CEST	49716	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:05.879694939 CEST	49716	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:05.879710913 CEST	443	49716	216.58.206.78	192.168.2.5
Oct 25, 2024 04:56:05.891035080 CEST	49717	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:05.896445036 CEST	80	49717	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:05.903667927 CEST	49717	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:05.903841019 CEST	49717	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:05.907838106 CEST	49718	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:05.907939911 CEST	443	49718	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:05.909195900 CEST	80	49717	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:05.909405947 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:05.909426928 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:05.915206909 CEST	49718	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:05.915270090 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:05.915348053 CEST	49718	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:05.915376902 CEST	443	49718	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:05.916507959 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:05.916534901 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:05.995523930 CEST	49720	443	192.168.2.5	34.160.144.191
Oct 25, 2024 04:56:05.995623112 CEST	443	49720	34.160.144.191	192.168.2.5
Oct 25, 2024 04:56:06.000092030 CEST	49720	443	192.168.2.5	34.160.144.191
Oct 25, 2024 04:56:06.000214100 CEST	49720	443	192.168.2.5	34.160.144.191
Oct 25, 2024 04:56:06.000236988 CEST	443	49720	34.160.144.191	192.168.2.5
Oct 25, 2024 04:56:06.244255066 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:06.255342960 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:06.255537033 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:06.260840893 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:06.260889053 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:06.260950089 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:06.261089087 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:06.261188984 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:06.261312008 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:06.261348963 CEST	443	49721	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:06.261425018 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:06.262814999 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:06.262830019 CEST	443	49721	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:06.510385990 CEST	80	49717	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:06.527210951 CEST	443	49718	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:06.527228117 CEST	443	49718	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:06.527316093 CEST	49718	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:06.530097008 CEST	49718	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:06.530112028 CEST	443	49718	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:06.530356884 CEST	443	49718	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:06.532474041 CEST	49718	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:06.532543898 CEST	49718	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:06.532716036 CEST	443	49718	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:06.532773018 CEST	49718	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:06.533466101 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:06.533535004 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:06.537954092 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:06.537969112 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:06.538022041 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:06.538182974 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:06.538233042 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:06.574251890 CEST	49717	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:06.610172987 CEST	443	49720	34.160.144.191	192.168.2.5
Oct 25, 2024 04:56:06.610660076 CEST	49720	443	192.168.2.5	34.160.144.191
Oct 25, 2024 04:56:06.613512039 CEST	49720	443	192.168.2.5	34.160.144.191
Oct 25, 2024 04:56:06.613537073 CEST	443	49720	34.160.144.191	192.168.2.5
Oct 25, 2024 04:56:06.613993883 CEST	443	49720	34.160.144.191	192.168.2.5
Oct 25, 2024 04:56:06.615926981 CEST	49720	443	192.168.2.5	34.160.144.191
Oct 25, 2024 04:56:06.616014004 CEST	49720	443	192.168.2.5	34.160.144.191
Oct 25, 2024 04:56:06.616626024 CEST	443	49720	34.160.144.191	192.168.2.5
Oct 25, 2024 04:56:06.617062092 CEST	49720	443	192.168.2.5	34.160.144.191
Oct 25, 2024 04:56:06.633004904 CEST	49717	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:06.633040905 CEST	49714	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:06.638998985 CEST	80	49717	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:06.639024973 CEST	80	49714	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:06.643373966 CEST	49717	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:06.643600941 CEST	49714	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:06.739145994 CEST	443	49716	216.58.206.78	192.168.2.5
Oct 25, 2024 04:56:06.739310026 CEST	49716	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:06.740164042 CEST	443	49716	216.58.206.78	192.168.2.5
Oct 25, 2024 04:56:06.740669012 CEST	49716	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:06.744750977 CEST	49716	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:06.744760036 CEST	443	49716	216.58.206.78	192.168.2.5
Oct 25, 2024 04:56:06.744796038 CEST	49716	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:06.745054960 CEST	443	49716	216.58.206.78	192.168.2.5
Oct 25, 2024 04:56:06.751482964 CEST	49716	443	192.168.2.5	216.58.206.78
Oct 25, 2024 04:56:06.820383072 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:06.820424080 CEST	443	49723	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:06.820606947 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:06.822207928 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:06.822225094 CEST	443	49723	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:06.902985096 CEST	443	49721	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:06.903685093 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:06.908669949 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:06.908679962 CEST	443	49721	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:06.908723116 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:06.908849955 CEST	443	49721	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:06.909173965 CEST	49721	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:07.204618931 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:07.210160017 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:07.222975016 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:07.243992090 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:07.249461889 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:07.425539970 CEST	443	49723	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:07.435338020 CEST	443	49723	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:07.445775986 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:07.450454950 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:07.450454950 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:07.450465918 CEST	443	49723	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:07.450789928 CEST	49725	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:07.450839043 CEST	443	49725	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:07.451016903 CEST	443	49723	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:07.461430073 CEST	49723	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:07.461431980 CEST	49725	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:07.462699890 CEST	49725	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:07.462722063 CEST	443	49725	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:07.818891048 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:07.872025013 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:08.109432936 CEST	443	49725	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:08.109446049 CEST	443	49725	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:08.110052109 CEST	49725	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:08.113848925 CEST	49725	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:08.113863945 CEST	443	49725	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:08.113945961 CEST	49725	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:08.114031076 CEST	443	49725	34.117.188.166	192.168.2.5
Oct 25, 2024 04:56:08.114119053 CEST	49725	443	192.168.2.5	34.117.188.166
Oct 25, 2024 04:56:10.401575089 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:10.407011032 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:10.409970999 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:10.410111904 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:10.415502071 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:10.778235912 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:10.783615112 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:10.903654099 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:10.953463078 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:11.017617941 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:11.069406033 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:11.086389065 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:11.091706038 CEST	49729	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:11.091748953 CEST	443	49729	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:11.091784000 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:11.100106955 CEST	49729	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:11.112593889 CEST	49729	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:11.112615108 CEST	443	49729	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:11.114736080 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:11.114753962 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:11.116286993 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:11.117908001 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:11.117923021 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:11.127876997 CEST	49731	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:11.127917051 CEST	443	49731	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:11.135262012 CEST	49731	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:11.135485888 CEST	49731	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:11.135499001 CEST	443	49731	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:11.214193106 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:11.273453951 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:11.476557016 CEST	49732	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:11.476604939 CEST	443	49732	34.149.100.209	192.168.2.5
Oct 25, 2024 04:56:11.478251934 CEST	49732	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:11.479742050 CEST	49732	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:11.479764938 CEST	443	49732	34.149.100.209	192.168.2.5
Oct 25, 2024 04:56:11.698551893 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:11.704925060 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:11.734719038 CEST	443	49729	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:11.734740019 CEST	443	49729	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:11.734805107 CEST	49729	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:11.739097118 CEST	49729	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:11.739123106 CEST	443	49729	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:11.739177942 CEST	49729	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:11.739365101 CEST	443	49729	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:11.739422083 CEST	49729	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:11.739434958 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:11.739541054 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:11.744051933 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:11.744069099 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:11.744133949 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:11.744278908 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:11.744513988 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:11.758603096 CEST	443	49731	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:11.758616924 CEST	443	49731	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:11.758686066 CEST	49731	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:11.761336088 CEST	49731	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:11.761352062 CEST	443	49731	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:11.761599064 CEST	443	49731	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:11.792994976 CEST	49731	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:11.793066025 CEST	49731	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:11.793330908 CEST	443	49731	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:11.793396950 CEST	49731	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:11.823565006 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:11.826014996 CEST	49733	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:11.826062918 CEST	443	49733	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:11.826304913 CEST	49733	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:11.827616930 CEST	49733	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:11.827635050 CEST	443	49733	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:11.827831030 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:11.834094048 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:11.875257969 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:11.956162930 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:12.007895947 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:12.100351095 CEST	443	49732	34.149.100.209	192.168.2.5
Oct 25, 2024 04:56:12.109421015 CEST	49732	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:12.162836075 CEST	49732	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:12.162858009 CEST	443	49732	34.149.100.209	192.168.2.5
Oct 25, 2024 04:56:12.162985086 CEST	49732	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:12.163289070 CEST	443	49732	34.149.100.209	192.168.2.5
Oct 25, 2024 04:56:12.165146112 CEST	49732	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:12.316361904 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:12.321831942 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:12.431037903 CEST	443	49733	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:12.433140993 CEST	49733	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:12.441059113 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:12.493513107 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:12.578545094 CEST	49733	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:12.578583956 CEST	443	49733	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:12.578666925 CEST	49733	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:12.578896046 CEST	443	49733	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:12.578960896 CEST	49733	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:16.716814995 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:16.716852903 CEST	443	49737	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:16.720799923 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:16.721010923 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:16.721024036 CEST	443	49737	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:16.729444027 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:16.729496002 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:16.733089924 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:16.733213902 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:16.733227968 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:17.089221001 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:17.094583988 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:17.216197014 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:17.275594950 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:17.341820955 CEST	443	49737	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:17.341914892 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:17.342575073 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:17.344573021 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:17.344594955 CEST	443	49737	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:17.344783068 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:17.345490932 CEST	443	49737	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:17.346940041 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:17.346970081 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:17.347233057 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:17.349575043 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:17.349658966 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:17.349755049 CEST	443	49737	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:17.349759102 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:17.349812031 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:17.349922895 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:17.349934101 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:17.350280046 CEST	49737	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:17.350311041 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:17.418984890 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:17.420593977 CEST	49740	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:17.420631886 CEST	443	49740	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:17.421716928 CEST	49740	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:17.423338890 CEST	49740	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:17.423348904 CEST	443	49740	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:17.424460888 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:17.544212103 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:17.596568108 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:18.078619003 CEST	443	49740	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:18.079278946 CEST	49740	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:18.147959948 CEST	49740	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:18.147959948 CEST	49740	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:18.147985935 CEST	443	49740	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:18.148349047 CEST	443	49740	34.120.208.123	192.168.2.5
Oct 25, 2024 04:56:18.148966074 CEST	49740	443	192.168.2.5	34.120.208.123
Oct 25, 2024 04:56:18.298484087 CEST	49747	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:18.298538923 CEST	443	49747	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:18.305382967 CEST	49747	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:19.281131983 CEST	49747	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:19.281158924 CEST	443	49747	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:19.306361914 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:19.311850071 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:19.329144001 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:19.334548950 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:19.433628082 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:19.454471111 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:19.478960037 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:19.484469891 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:19.502319098 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:19.606085062 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:19.649573088 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:19.899132013 CEST	443	49747	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:19.899147034 CEST	443	49747	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:19.899214029 CEST	49747	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:20.069787025 CEST	49747	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:20.069811106 CEST	443	49747	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:20.069844961 CEST	49747	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:20.069950104 CEST	443	49747	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:20.082034111 CEST	49747	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:20.200541019 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:20.205916882 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:20.326031923 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:20.367269039 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:20.886435986 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:20.891812086 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:21.014769077 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:21.069375038 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:30.138911963 CEST	49813	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:30.138953924 CEST	443	49813	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:30.139261007 CEST	49813	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:30.140717983 CEST	49813	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:30.140727997 CEST	443	49813	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:30.334182978 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:30.339570999 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:30.750827074 CEST	443	49813	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:30.750931025 CEST	49813	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:30.755924940 CEST	49813	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:30.755929947 CEST	443	49813	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:30.756021976 CEST	49813	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:30.756053925 CEST	443	49813	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:30.756294966 CEST	49813	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:30.758769989 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:30.764125109 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:30.884418011 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:30.888030052 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:30.893557072 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:30.935921907 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:31.018529892 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:31.067456007 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:32.657063007 CEST	49826	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:32.657080889 CEST	443	49826	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:32.661448002 CEST	49826	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:32.661633968 CEST	49826	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:32.661640882 CEST	443	49826	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:32.665007114 CEST	49827	443	192.168.2.5	151.101.129.91
Oct 25, 2024 04:56:32.665043116 CEST	443	49827	151.101.129.91	192.168.2.5
Oct 25, 2024 04:56:32.665930033 CEST	49827	443	192.168.2.5	151.101.129.91
Oct 25, 2024 04:56:32.666064024 CEST	49827	443	192.168.2.5	151.101.129.91
Oct 25, 2024 04:56:32.666079044 CEST	443	49827	151.101.129.91	192.168.2.5
Oct 25, 2024 04:56:32.669507980 CEST	49829	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:32.669536114 CEST	443	49829	34.149.100.209	192.168.2.5
Oct 25, 2024 04:56:32.670027018 CEST	49829	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:32.670150995 CEST	49829	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:32.670161963 CEST	443	49829	34.149.100.209	192.168.2.5
Oct 25, 2024 04:56:32.702846050 CEST	49830	443	192.168.2.5	35.190.72.216
Oct 25, 2024 04:56:32.702879906 CEST	443	49830	35.190.72.216	192.168.2.5
Oct 25, 2024 04:56:32.703603983 CEST	49830	443	192.168.2.5	35.190.72.216
Oct 25, 2024 04:56:32.705760956 CEST	49830	443	192.168.2.5	35.190.72.216
Oct 25, 2024 04:56:32.705777884 CEST	443	49830	35.190.72.216	192.168.2.5
Oct 25, 2024 04:56:32.753048897 CEST	49832	443	192.168.2.5	35.201.103.21
Oct 25, 2024 04:56:32.753093004 CEST	443	49832	35.201.103.21	192.168.2.5
Oct 25, 2024 04:56:32.754182100 CEST	49832	443	192.168.2.5	35.201.103.21
Oct 25, 2024 04:56:32.755770922 CEST	49832	443	192.168.2.5	35.201.103.21
Oct 25, 2024 04:56:32.755786896 CEST	443	49832	35.201.103.21	192.168.2.5
Oct 25, 2024 04:56:33.270828009 CEST	443	49826	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.270961046 CEST	49826	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.274363041 CEST	49826	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.274370909 CEST	443	49826	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.274597883 CEST	443	49826	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.274871111 CEST	443	49829	34.149.100.209	192.168.2.5
Oct 25, 2024 04:56:33.274987936 CEST	49829	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:33.276032925 CEST	443	49827	151.101.129.91	192.168.2.5
Oct 25, 2024 04:56:33.276245117 CEST	49827	443	192.168.2.5	151.101.129.91
Oct 25, 2024 04:56:33.278702974 CEST	49829	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:33.278721094 CEST	443	49829	34.149.100.209	192.168.2.5
Oct 25, 2024 04:56:33.278953075 CEST	443	49829	34.149.100.209	192.168.2.5
Oct 25, 2024 04:56:33.282661915 CEST	49827	443	192.168.2.5	151.101.129.91
Oct 25, 2024 04:56:33.282672882 CEST	443	49827	151.101.129.91	192.168.2.5
Oct 25, 2024 04:56:33.282896996 CEST	443	49827	151.101.129.91	192.168.2.5
Oct 25, 2024 04:56:33.285274029 CEST	49826	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.285394907 CEST	443	49826	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.285399914 CEST	49826	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.285408020 CEST	443	49826	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.286030054 CEST	49826	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.286891937 CEST	49829	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:33.286959887 CEST	49829	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:33.287022114 CEST	443	49829	34.149.100.209	192.168.2.5
Oct 25, 2024 04:56:33.288172960 CEST	49827	443	192.168.2.5	151.101.129.91
Oct 25, 2024 04:56:33.288254976 CEST	49827	443	192.168.2.5	151.101.129.91
Oct 25, 2024 04:56:33.288285017 CEST	443	49827	151.101.129.91	192.168.2.5
Oct 25, 2024 04:56:33.289701939 CEST	49829	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:33.289712906 CEST	49827	443	192.168.2.5	151.101.129.91
Oct 25, 2024 04:56:33.299984932 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:33.301137924 CEST	49834	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.301179886 CEST	443	49834	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.301497936 CEST	49834	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.301666975 CEST	49834	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.301677942 CEST	443	49834	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.302923918 CEST	49835	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.302963018 CEST	443	49835	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.303023100 CEST	49835	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.303123951 CEST	49835	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.303134918 CEST	443	49835	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.305308104 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:33.306191921 CEST	49836	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.306219101 CEST	443	49836	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.306571960 CEST	49836	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.306672096 CEST	49836	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.306683064 CEST	443	49836	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.312083006 CEST	443	49830	35.190.72.216	192.168.2.5
Oct 25, 2024 04:56:33.315671921 CEST	49830	443	192.168.2.5	35.190.72.216
Oct 25, 2024 04:56:33.323482037 CEST	49830	443	192.168.2.5	35.190.72.216
Oct 25, 2024 04:56:33.323502064 CEST	443	49830	35.190.72.216	192.168.2.5
Oct 25, 2024 04:56:33.323612928 CEST	49830	443	192.168.2.5	35.190.72.216
Oct 25, 2024 04:56:33.323725939 CEST	443	49830	35.190.72.216	192.168.2.5
Oct 25, 2024 04:56:33.324248075 CEST	49830	443	192.168.2.5	35.190.72.216
Oct 25, 2024 04:56:33.362379074 CEST	443	49832	35.201.103.21	192.168.2.5
Oct 25, 2024 04:56:33.362464905 CEST	49832	443	192.168.2.5	35.201.103.21
Oct 25, 2024 04:56:33.367058992 CEST	49832	443	192.168.2.5	35.201.103.21
Oct 25, 2024 04:56:33.367073059 CEST	443	49832	35.201.103.21	192.168.2.5
Oct 25, 2024 04:56:33.367191076 CEST	49832	443	192.168.2.5	35.201.103.21
Oct 25, 2024 04:56:33.367202997 CEST	443	49832	35.201.103.21	192.168.2.5
Oct 25, 2024 04:56:33.367424965 CEST	49832	443	192.168.2.5	35.201.103.21
Oct 25, 2024 04:56:33.391041040 CEST	49837	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:33.391098022 CEST	443	49837	34.149.100.209	192.168.2.5
Oct 25, 2024 04:56:33.402049065 CEST	49837	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:33.402548075 CEST	49837	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:33.402565002 CEST	443	49837	34.149.100.209	192.168.2.5
Oct 25, 2024 04:56:33.425175905 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:33.432976961 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:33.438271999 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:33.474668980 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:33.561129093 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:33.606214046 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:33.906871080 CEST	443	49834	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.906958103 CEST	49834	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.908874035 CEST	443	49835	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.908957005 CEST	49835	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.911017895 CEST	49834	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.911026955 CEST	443	49834	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.911248922 CEST	443	49834	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.914350033 CEST	49835	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.914372921 CEST	443	49835	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.914603949 CEST	443	49835	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.917896986 CEST	49835	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.917996883 CEST	49835	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.918041945 CEST	443	49835	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.918093920 CEST	49834	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.918157101 CEST	49834	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.918217897 CEST	443	49834	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.918256044 CEST	49835	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.918399096 CEST	49834	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.927853107 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:33.933188915 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:33.943947077 CEST	443	49836	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.944025993 CEST	49836	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.947479963 CEST	49836	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.947491884 CEST	443	49836	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.947772026 CEST	443	49836	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.949659109 CEST	49836	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.949770927 CEST	49836	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.949804068 CEST	443	49836	35.244.181.201	192.168.2.5
Oct 25, 2024 04:56:33.955271006 CEST	49836	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:33.955337048 CEST	49836	443	192.168.2.5	35.244.181.201
Oct 25, 2024 04:56:34.001102924 CEST	443	49837	34.149.100.209	192.168.2.5
Oct 25, 2024 04:56:34.001122952 CEST	443	49837	34.149.100.209	192.168.2.5
Oct 25, 2024 04:56:34.002418995 CEST	49837	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:34.006027937 CEST	49837	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:34.006037951 CEST	443	49837	34.149.100.209	192.168.2.5
Oct 25, 2024 04:56:34.006268978 CEST	443	49837	34.149.100.209	192.168.2.5
Oct 25, 2024 04:56:34.008619070 CEST	49837	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:34.008774042 CEST	443	49837	34.149.100.209	192.168.2.5
Oct 25, 2024 04:56:34.008797884 CEST	49837	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:34.008809090 CEST	443	49837	34.149.100.209	192.168.2.5
Oct 25, 2024 04:56:34.011023998 CEST	49837	443	192.168.2.5	34.149.100.209
Oct 25, 2024 04:56:34.053987980 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:34.059245110 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:34.065397024 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:34.107712984 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:34.186338902 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:34.232672930 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:44.061788082 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:44.067234993 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:44.193552017 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:44.198909044 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:50.844114065 CEST	49931	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:50.844238997 CEST	443	49931	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:50.844351053 CEST	49931	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:50.845882893 CEST	49931	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:50.845930099 CEST	443	49931	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:51.461050034 CEST	443	49931	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:51.461200953 CEST	49931	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:51.466048956 CEST	49931	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:51.466085911 CEST	443	49931	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:51.466202021 CEST	49931	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:51.466330051 CEST	443	49931	34.107.243.93	192.168.2.5
Oct 25, 2024 04:56:51.466443062 CEST	49931	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:56:51.469353914 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:51.474806070 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:51.594652891 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:51.599186897 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:51.604617119 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:51.638717890 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:51.727498055 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:51.770107985 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:57.611342907 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:57.616722107 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:57.736819983 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:57.740855932 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:57.746223927 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:57.785542965 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:56:57.867568016 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:56:57.923671007 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:57:07.744963884 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:57:07.750423908 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:57:07.876385927 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:57:07.882188082 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:57:17.762775898 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:57:17.768402100 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:57:17.886974096 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:57:17.892548084 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:57:27.773366928 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:57:27.778973103 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:57:27.904983997 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:57:27.910602093 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:57:31.758627892 CEST	50022	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:57:31.758666039 CEST	443	50022	34.107.243.93	192.168.2.5
Oct 25, 2024 04:57:31.765660048 CEST	50022	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:57:31.772100925 CEST	50022	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:57:31.772128105 CEST	443	50022	34.107.243.93	192.168.2.5
Oct 25, 2024 04:57:32.405592918 CEST	443	50022	34.107.243.93	192.168.2.5
Oct 25, 2024 04:57:32.405608892 CEST	443	50022	34.107.243.93	192.168.2.5
Oct 25, 2024 04:57:32.405757904 CEST	50022	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:57:32.411643028 CEST	50022	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:57:32.411664009 CEST	443	50022	34.107.243.93	192.168.2.5
Oct 25, 2024 04:57:32.411726952 CEST	50022	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:57:32.411971092 CEST	443	50022	34.107.243.93	192.168.2.5
Oct 25, 2024 04:57:32.412771940 CEST	50022	443	192.168.2.5	34.107.243.93
Oct 25, 2024 04:57:32.414669037 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:57:32.420036077 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:57:32.539972067 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:57:32.543229103 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:57:32.548728943 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:57:32.583081961 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:57:32.670386076 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:57:32.714468956 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:57:42.543807030 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:57:42.549447060 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:57:42.675231934 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:57:42.680736065 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:57:52.558067083 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:57:52.563554049 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:57:52.689646959 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:57:52.695106030 CEST	80	49727	34.107.221.82	192.168.2.5
Oct 25, 2024 04:58:02.565431118 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:58:02.571003914 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 25, 2024 04:58:02.703321934 CEST	49727	80	192.168.2.5	34.107.221.82
Oct 25, 2024 04:58:02.708934069 CEST	80	49727	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 04:56:03.861036062 CEST	63631	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:03.868817091 CEST	53	63631	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:03.875730038 CEST	56470	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:03.912718058 CEST	53	56470	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:04.729691982 CEST	56343	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:04.736808062 CEST	53	56343	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:04.739145994 CEST	61087	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:04.746203899 CEST	53	61087	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:04.746857882 CEST	49399	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:04.754306078 CEST	53	49399	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:04.850493908 CEST	50176	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:04.862027884 CEST	57101	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:04.869292021 CEST	53	57101	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:04.890944004 CEST	59219	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:04.899038076 CEST	53	59219	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:05.605303049 CEST	62908	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:05.611222029 CEST	59438	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:05.612413883 CEST	53	62908	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:05.613384962 CEST	62913	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:05.618277073 CEST	53	59438	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:05.620592117 CEST	53	62913	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:05.630582094 CEST	63127	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:05.637764931 CEST	53	63127	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:05.638315916 CEST	53777	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:05.645606041 CEST	53	53777	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:05.882865906 CEST	55220	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:05.887273073 CEST	64032	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:05.895159960 CEST	53	64032	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:05.908210039 CEST	61564	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:05.909528017 CEST	62279	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:05.915843010 CEST	53	61564	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:05.916596889 CEST	53	62279	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:05.922038078 CEST	60007	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:05.922271013 CEST	59894	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:05.929297924 CEST	53	60007	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:05.929554939 CEST	53	59894	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:05.986165047 CEST	50728	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:05.993519068 CEST	53	50728	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:05.996139050 CEST	63430	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:06.003355026 CEST	53	63430	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:06.004445076 CEST	62092	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:06.011663914 CEST	53	62092	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:10.396969080 CEST	53551	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:10.404921055 CEST	53	53551	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:10.409437895 CEST	61273	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:10.430341005 CEST	53	61273	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:10.430979967 CEST	57835	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:10.438827991 CEST	53	57835	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:10.778980017 CEST	59997	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:10.812336922 CEST	53	54544	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:10.828401089 CEST	50816	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:10.835755110 CEST	53	50816	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:10.839566946 CEST	56622	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:10.846658945 CEST	53	56622	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:10.847626925 CEST	62742	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:10.854785919 CEST	53	62742	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:11.115412951 CEST	61072	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:11.119704008 CEST	55392	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:11.123295069 CEST	53	61072	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:11.127165079 CEST	51681	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:11.127374887 CEST	53	55392	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:11.134280920 CEST	53	51681	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:11.461738110 CEST	57706	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:11.469707012 CEST	53	57706	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:11.476900101 CEST	61129	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:11.484340906 CEST	53	61129	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:11.489588022 CEST	63079	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:11.498423100 CEST	53	63079	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:16.718465090 CEST	50866	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:16.726195097 CEST	53	50866	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:17.089041948 CEST	50186	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:18.300865889 CEST	49681	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:18.308696985 CEST	53	49681	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:19.406934977 CEST	60750	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:19.407422066 CEST	64905	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:19.407526970 CEST	57497	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:19.414027929 CEST	53	60750	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:19.414907932 CEST	51496	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:19.415059090 CEST	53	64905	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:19.415576935 CEST	53	57497	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:19.415894032 CEST	62225	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:19.416609049 CEST	57534	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:19.422219992 CEST	53	51496	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:19.422795057 CEST	62576	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:19.422897100 CEST	53	62225	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:19.423505068 CEST	64878	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:19.424215078 CEST	53	57534	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:19.424953938 CEST	62901	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:19.429986954 CEST	53	62576	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:19.430572987 CEST	57070	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:19.430737019 CEST	53	64878	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:19.431435108 CEST	49536	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:19.432195902 CEST	53	62901	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:19.437680960 CEST	53	57070	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:19.438421011 CEST	56383	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:19.438741922 CEST	53	49536	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:19.439311028 CEST	56967	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:19.446126938 CEST	53	56383	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:19.446666956 CEST	64104	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:19.447376013 CEST	53	56967	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:19.447830915 CEST	57821	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:19.454418898 CEST	53	64104	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:19.454865932 CEST	53	57821	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:30.139216900 CEST	52955	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:30.146871090 CEST	53	52955	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:32.656205893 CEST	65020	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:32.663811922 CEST	53	65020	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:32.665079117 CEST	60576	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:32.669955015 CEST	62832	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:32.673192024 CEST	53	60576	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:32.677236080 CEST	53	62832	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:32.681248903 CEST	52517	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:32.688628912 CEST	53	52517	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:32.711215019 CEST	58820	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:32.719800949 CEST	53	58820	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:32.753357887 CEST	56376	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:32.761271000 CEST	53	56376	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:32.765577078 CEST	50955	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:32.773442984 CEST	53	50955	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:50.842897892 CEST	52050	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:50.851432085 CEST	53	52050	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:50.853226900 CEST	51710	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:56:50.860512018 CEST	53	51710	1.1.1.1	192.168.2.5
Oct 25, 2024 04:56:57.611696005 CEST	55663	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:57:31.748919010 CEST	50383	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:57:31.756407976 CEST	53	50383	1.1.1.1	192.168.2.5
Oct 25, 2024 04:57:31.757858992 CEST	56855	53	192.168.2.5	1.1.1.1
Oct 25, 2024 04:57:31.765892029 CEST	53	56855	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 25, 2024 04:56:03.861036062 CEST	192.168.2.5	1.1.1.1	0xfd3c	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:03.875730038 CEST	192.168.2.5	1.1.1.1	0x989	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 04:56:04.729691982 CEST	192.168.2.5	1.1.1.1	0x521e	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:04.739145994 CEST	192.168.2.5	1.1.1.1	0xd78a	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:04.746857882 CEST	192.168.2.5	1.1.1.1	0x41a0	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 25, 2024 04:56:04.850493908 CEST	192.168.2.5	1.1.1.1	0xb11a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:04.862027884 CEST	192.168.2.5	1.1.1.1	0xc635	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:04.890944004 CEST	192.168.2.5	1.1.1.1	0x7629	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 04:56:05.605303049 CEST	192.168.2.5	1.1.1.1	0x3215	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:05.611222029 CEST	192.168.2.5	1.1.1.1	0xeac3	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:05.613384962 CEST	192.168.2.5	1.1.1.1	0x1456	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:05.630582094 CEST	192.168.2.5	1.1.1.1	0x14b1	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:05.638315916 CEST	192.168.2.5	1.1.1.1	0x7b67	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 04:56:05.882865906 CEST	192.168.2.5	1.1.1.1	0x2d41	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:05.887273073 CEST	192.168.2.5	1.1.1.1	0xcd6e	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:05.908210039 CEST	192.168.2.5	1.1.1.1	0x78e7	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:05.909528017 CEST	192.168.2.5	1.1.1.1	0xf7d	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:05.922038078 CEST	192.168.2.5	1.1.1.1	0xe994	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 04:56:05.922271013 CEST	192.168.2.5	1.1.1.1	0x3701	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 04:56:05.986165047 CEST	192.168.2.5	1.1.1.1	0xb770	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:05.996139050 CEST	192.168.2.5	1.1.1.1	0x3cdc	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:06.004445076 CEST	192.168.2.5	1.1.1.1	0xecf7	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 04:56:10.396969080 CEST	192.168.2.5	1.1.1.1	0x89df	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:10.409437895 CEST	192.168.2.5	1.1.1.1	0xc642	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:10.430979967 CEST	192.168.2.5	1.1.1.1	0x90d4	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 04:56:10.778980017 CEST	192.168.2.5	1.1.1.1	0x9aa	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:10.828401089 CEST	192.168.2.5	1.1.1.1	0x5f71	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:10.839566946 CEST	192.168.2.5	1.1.1.1	0x7648	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:10.847626925 CEST	192.168.2.5	1.1.1.1	0x8312	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 04:56:11.115412951 CEST	192.168.2.5	1.1.1.1	0xfb42	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:11.119704008 CEST	192.168.2.5	1.1.1.1	0x4192	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 04:56:11.127165079 CEST	192.168.2.5	1.1.1.1	0xb0b	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 04:56:11.461738110 CEST	192.168.2.5	1.1.1.1	0x6251	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:11.476900101 CEST	192.168.2.5	1.1.1.1	0x1b5d	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:11.489588022 CEST	192.168.2.5	1.1.1.1	0x9ce5	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 04:56:16.718465090 CEST	192.168.2.5	1.1.1.1	0x1622	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 04:56:17.089041948 CEST	192.168.2.5	1.1.1.1	0xccff	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:18.300865889 CEST	192.168.2.5	1.1.1.1	0xe745	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 04:56:19.406934977 CEST	192.168.2.5	1.1.1.1	0x9ae	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.407422066 CEST	192.168.2.5	1.1.1.1	0xb6d6	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.407526970 CEST	192.168.2.5	1.1.1.1	0xbd98	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.414907932 CEST	192.168.2.5	1.1.1.1	0x406e	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.415894032 CEST	192.168.2.5	1.1.1.1	0x548b	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.416609049 CEST	192.168.2.5	1.1.1.1	0x9a26	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.422795057 CEST	192.168.2.5	1.1.1.1	0x21ad	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 25, 2024 04:56:19.423505068 CEST	192.168.2.5	1.1.1.1	0x11b4	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 25, 2024 04:56:19.424953938 CEST	192.168.2.5	1.1.1.1	0x9278	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 25, 2024 04:56:19.430572987 CEST	192.168.2.5	1.1.1.1	0xe485	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.431435108 CEST	192.168.2.5	1.1.1.1	0x7dc	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.438421011 CEST	192.168.2.5	1.1.1.1	0x77d6	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.439311028 CEST	192.168.2.5	1.1.1.1	0x4b2f	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.446666956 CEST	192.168.2.5	1.1.1.1	0xa881	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 25, 2024 04:56:19.447830915 CEST	192.168.2.5	1.1.1.1	0x24a9	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 25, 2024 04:56:30.139216900 CEST	192.168.2.5	1.1.1.1	0x5e2	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 04:56:32.656205893 CEST	192.168.2.5	1.1.1.1	0x51a3	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:32.665079117 CEST	192.168.2.5	1.1.1.1	0x81e0	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 04:56:32.669955015 CEST	192.168.2.5	1.1.1.1	0x7d53	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:32.681248903 CEST	192.168.2.5	1.1.1.1	0x9b23	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 25, 2024 04:56:32.711215019 CEST	192.168.2.5	1.1.1.1	0xf09a	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:32.753357887 CEST	192.168.2.5	1.1.1.1	0x27e4	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:32.765577078 CEST	192.168.2.5	1.1.1.1	0x9c00	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 04:56:50.842897892 CEST	192.168.2.5	1.1.1.1	0xf163	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:50.853226900 CEST	192.168.2.5	1.1.1.1	0x562	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 04:56:57.611696005 CEST	192.168.2.5	1.1.1.1	0xecb1	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:57:31.748919010 CEST	192.168.2.5	1.1.1.1	0x8827	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:57:31.757858992 CEST	192.168.2.5	1.1.1.1	0xf7b9	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 25, 2024 04:56:03.848562956 CEST	1.1.1.1	192.168.2.5	0x5a82	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:03.868817091 CEST	1.1.1.1	192.168.2.5	0xfd3c	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:04.736808062 CEST	1.1.1.1	192.168.2.5	0x521e	No error (0)	youtube.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:04.746203899 CEST	1.1.1.1	192.168.2.5	0xd78a	No error (0)	youtube.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:04.754306078 CEST	1.1.1.1	192.168.2.5	0x41a0	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 25, 2024 04:56:04.857811928 CEST	1.1.1.1	192.168.2.5	0xb11a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 04:56:04.857811928 CEST	1.1.1.1	192.168.2.5	0xb11a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:04.869292021 CEST	1.1.1.1	192.168.2.5	0xc635	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:04.899038076 CEST	1.1.1.1	192.168.2.5	0x7629	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 25, 2024 04:56:05.612413883 CEST	1.1.1.1	192.168.2.5	0x3215	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:05.618277073 CEST	1.1.1.1	192.168.2.5	0xeac3	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:05.618277073 CEST	1.1.1.1	192.168.2.5	0xeac3	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:05.620592117 CEST	1.1.1.1	192.168.2.5	0x1456	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:05.637764931 CEST	1.1.1.1	192.168.2.5	0x14b1	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:05.890069962 CEST	1.1.1.1	192.168.2.5	0x2d41	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 04:56:05.890069962 CEST	1.1.1.1	192.168.2.5	0x2d41	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:05.895117044 CEST	1.1.1.1	192.168.2.5	0x7702	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 04:56:05.895117044 CEST	1.1.1.1	192.168.2.5	0x7702	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:05.895159960 CEST	1.1.1.1	192.168.2.5	0xcd6e	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 04:56:05.895159960 CEST	1.1.1.1	192.168.2.5	0xcd6e	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:05.915843010 CEST	1.1.1.1	192.168.2.5	0x78e7	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:05.916596889 CEST	1.1.1.1	192.168.2.5	0xf7d	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:05.993519068 CEST	1.1.1.1	192.168.2.5	0xb770	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 04:56:05.993519068 CEST	1.1.1.1	192.168.2.5	0xb770	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 04:56:05.993519068 CEST	1.1.1.1	192.168.2.5	0xb770	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:06.003355026 CEST	1.1.1.1	192.168.2.5	0x3cdc	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:06.011663914 CEST	1.1.1.1	192.168.2.5	0xecf7	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 25, 2024 04:56:10.404921055 CEST	1.1.1.1	192.168.2.5	0x89df	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 04:56:10.404921055 CEST	1.1.1.1	192.168.2.5	0x89df	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 04:56:10.404921055 CEST	1.1.1.1	192.168.2.5	0x89df	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:10.430341005 CEST	1.1.1.1	192.168.2.5	0xc642	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:10.786348104 CEST	1.1.1.1	192.168.2.5	0x9aa	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 04:56:10.835755110 CEST	1.1.1.1	192.168.2.5	0x5f71	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:10.846658945 CEST	1.1.1.1	192.168.2.5	0x7648	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:11.094633102 CEST	1.1.1.1	192.168.2.5	0xc3f1	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:11.123295069 CEST	1.1.1.1	192.168.2.5	0xfb42	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:11.126570940 CEST	1.1.1.1	192.168.2.5	0x994c	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 04:56:11.126570940 CEST	1.1.1.1	192.168.2.5	0x994c	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:11.469707012 CEST	1.1.1.1	192.168.2.5	0x6251	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 04:56:11.469707012 CEST	1.1.1.1	192.168.2.5	0x6251	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:11.484340906 CEST	1.1.1.1	192.168.2.5	0x1b5d	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:11.824661970 CEST	1.1.1.1	192.168.2.5	0xbe9b	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:17.096417904 CEST	1.1.1.1	192.168.2.5	0xccff	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 04:56:17.096417904 CEST	1.1.1.1	192.168.2.5	0xccff	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.414027929 CEST	1.1.1.1	192.168.2.5	0x9ae	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 04:56:19.414027929 CEST	1.1.1.1	192.168.2.5	0x9ae	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.414027929 CEST	1.1.1.1	192.168.2.5	0x9ae	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.414027929 CEST	1.1.1.1	192.168.2.5	0x9ae	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.414027929 CEST	1.1.1.1	192.168.2.5	0x9ae	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.414027929 CEST	1.1.1.1	192.168.2.5	0x9ae	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.414027929 CEST	1.1.1.1	192.168.2.5	0x9ae	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.414027929 CEST	1.1.1.1	192.168.2.5	0x9ae	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.414027929 CEST	1.1.1.1	192.168.2.5	0x9ae	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.414027929 CEST	1.1.1.1	192.168.2.5	0x9ae	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.414027929 CEST	1.1.1.1	192.168.2.5	0x9ae	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.414027929 CEST	1.1.1.1	192.168.2.5	0x9ae	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.414027929 CEST	1.1.1.1	192.168.2.5	0x9ae	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.414027929 CEST	1.1.1.1	192.168.2.5	0x9ae	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.414027929 CEST	1.1.1.1	192.168.2.5	0x9ae	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.414027929 CEST	1.1.1.1	192.168.2.5	0x9ae	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.414027929 CEST	1.1.1.1	192.168.2.5	0x9ae	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.415059090 CEST	1.1.1.1	192.168.2.5	0xb6d6	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 04:56:19.415059090 CEST	1.1.1.1	192.168.2.5	0xb6d6	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.415576935 CEST	1.1.1.1	192.168.2.5	0xbd98	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 04:56:19.415576935 CEST	1.1.1.1	192.168.2.5	0xbd98	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.422219992 CEST	1.1.1.1	192.168.2.5	0x406e	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.422219992 CEST	1.1.1.1	192.168.2.5	0x406e	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.422219992 CEST	1.1.1.1	192.168.2.5	0x406e	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.422219992 CEST	1.1.1.1	192.168.2.5	0x406e	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.422219992 CEST	1.1.1.1	192.168.2.5	0x406e	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.422219992 CEST	1.1.1.1	192.168.2.5	0x406e	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.422219992 CEST	1.1.1.1	192.168.2.5	0x406e	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.422219992 CEST	1.1.1.1	192.168.2.5	0x406e	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.422219992 CEST	1.1.1.1	192.168.2.5	0x406e	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.422219992 CEST	1.1.1.1	192.168.2.5	0x406e	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.422219992 CEST	1.1.1.1	192.168.2.5	0x406e	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.422219992 CEST	1.1.1.1	192.168.2.5	0x406e	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.422219992 CEST	1.1.1.1	192.168.2.5	0x406e	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.422219992 CEST	1.1.1.1	192.168.2.5	0x406e	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.422219992 CEST	1.1.1.1	192.168.2.5	0x406e	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.422219992 CEST	1.1.1.1	192.168.2.5	0x406e	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.422897100 CEST	1.1.1.1	192.168.2.5	0x548b	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.424215078 CEST	1.1.1.1	192.168.2.5	0x9a26	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.429986954 CEST	1.1.1.1	192.168.2.5	0x21ad	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 04:56:19.429986954 CEST	1.1.1.1	192.168.2.5	0x21ad	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 04:56:19.429986954 CEST	1.1.1.1	192.168.2.5	0x21ad	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 04:56:19.429986954 CEST	1.1.1.1	192.168.2.5	0x21ad	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 04:56:19.430737019 CEST	1.1.1.1	192.168.2.5	0x11b4	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 25, 2024 04:56:19.432195902 CEST	1.1.1.1	192.168.2.5	0x9278	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 25, 2024 04:56:19.437680960 CEST	1.1.1.1	192.168.2.5	0xe485	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 04:56:19.437680960 CEST	1.1.1.1	192.168.2.5	0xe485	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.437680960 CEST	1.1.1.1	192.168.2.5	0xe485	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.437680960 CEST	1.1.1.1	192.168.2.5	0xe485	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.437680960 CEST	1.1.1.1	192.168.2.5	0xe485	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.438741922 CEST	1.1.1.1	192.168.2.5	0x7dc	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.446126938 CEST	1.1.1.1	192.168.2.5	0x77d6	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.446126938 CEST	1.1.1.1	192.168.2.5	0x77d6	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.446126938 CEST	1.1.1.1	192.168.2.5	0x77d6	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.446126938 CEST	1.1.1.1	192.168.2.5	0x77d6	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:19.447376013 CEST	1.1.1.1	192.168.2.5	0x4b2f	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:32.663811922 CEST	1.1.1.1	192.168.2.5	0x51a3	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:32.663811922 CEST	1.1.1.1	192.168.2.5	0x51a3	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:32.663811922 CEST	1.1.1.1	192.168.2.5	0x51a3	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:32.663811922 CEST	1.1.1.1	192.168.2.5	0x51a3	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:32.677236080 CEST	1.1.1.1	192.168.2.5	0x7d53	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:32.677236080 CEST	1.1.1.1	192.168.2.5	0x7d53	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:32.677236080 CEST	1.1.1.1	192.168.2.5	0x7d53	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:32.677236080 CEST	1.1.1.1	192.168.2.5	0x7d53	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:32.719800949 CEST	1.1.1.1	192.168.2.5	0xf09a	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 04:56:32.719800949 CEST	1.1.1.1	192.168.2.5	0xf09a	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:32.761271000 CEST	1.1.1.1	192.168.2.5	0x27e4	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:33.939961910 CEST	1.1.1.1	192.168.2.5	0x86ba	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 04:56:33.939961910 CEST	1.1.1.1	192.168.2.5	0x86ba	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 04:56:50.851432085 CEST	1.1.1.1	192.168.2.5	0xf163	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:56:57.619909048 CEST	1.1.1.1	192.168.2.5	0xecb1	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 04:56:57.619909048 CEST	1.1.1.1	192.168.2.5	0xecb1	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 04:57:31.756407976 CEST	1.1.1.1	192.168.2.5	0x8827	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49714	34.107.221.82	80	5972	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 04:56:04.905164003 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 04:56:05.503504038 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 51971 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49717	34.107.221.82	80	5972	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 04:56:05.903841019 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 04:56:06.510385990 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 61273 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49724	34.107.221.82	80	5972	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 04:56:07.243992090 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 04:56:07.818891048 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 51973 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 04:56:10.778235912 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 04:56:10.903654099 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 51976 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 04:56:11.698551893 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 04:56:11.823565006 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 51977 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 04:56:12.316361904 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 04:56:12.441059113 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 51978 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 04:56:17.418984890 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 04:56:17.544212103 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 51983 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 04:56:19.329144001 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 04:56:19.454471111 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 51985 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 04:56:20.200541019 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 04:56:20.326031923 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 51986 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 04:56:30.334182978 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 04:56:30.758769989 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 04:56:30.884418011 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 51996 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 04:56:33.299984932 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 04:56:33.425175905 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 51999 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 04:56:33.927853107 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 04:56:34.053987980 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 51999 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 04:56:44.061788082 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 04:56:51.469353914 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 04:56:51.594652891 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 52017 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 04:56:57.611342907 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 04:56:57.736819983 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 52023 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 04:57:07.744963884 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 04:57:17.762775898 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 04:57:27.773366928 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 04:57:32.414669037 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 04:57:32.539972067 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 52058 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 04:57:42.543807030 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 04:57:52.558067083 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 04:58:02.565431118 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49727	34.107.221.82	80	5972	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 04:56:10.410111904 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 04:56:11.017617941 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 61277 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 04:56:11.086389065 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 04:56:11.214193106 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 61278 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 04:56:11.827831030 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 04:56:11.956162930 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 61278 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 04:56:17.089221001 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 04:56:17.216197014 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 61284 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 04:56:19.306361914 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 04:56:19.433628082 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 61286 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 04:56:19.478960037 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 04:56:19.606085062 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 61286 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 04:56:20.886435986 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 04:56:21.014769077 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 61287 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 04:56:30.888030052 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 04:56:31.018529892 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 61297 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 04:56:33.432976961 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 04:56:33.561129093 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 61300 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 04:56:34.059245110 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 04:56:34.186338902 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 61301 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 04:56:44.193552017 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 04:56:51.599186897 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 04:56:51.727498055 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 61318 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 04:56:57.740855932 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 04:56:57.867568016 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 61324 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 04:57:07.876385927 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 04:57:17.886974096 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 04:57:27.904983997 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 04:57:32.543229103 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 04:57:32.670386076 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 61359 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 04:57:42.675231934 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 04:57:52.689646959 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 04:58:02.703321934 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	22:55:57
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x150000
File size:	919'552 bytes
MD5 hash:	4237DC911607C252913C1AAA104B0A00
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	22:55:57
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x340000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:55:57
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:55:59
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x340000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:55:59
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	22:55:59
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x340000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:55:59
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	22:56:00
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x340000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	22:56:00
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	22:56:00
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x340000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	22:56:00
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	22:56:00
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	22:56:00
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	22:56:00
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	22:56:01
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3441bc3-2fa6-4d7a-9d02-45c0be3c048a} 5972 "\\.\pipe\gecko-crash-server-pipe.5972" 1a3f4f6db10 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	22:56:03
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2996 -parentBuildID 20230927232528 -prefsHandle 4176 -prefMapHandle 4172 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f741068d-6997-4c3a-8132-9ca401b21f94} 5972 "\\.\pipe\gecko-crash-server-pipe.5972" 1a388203810 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	22:56:10
Start date:	24/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5072 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5056 -prefMapHandle 5052 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1d86d31-3579-4dc9-bb9d-213b448bd290} 5972 "\\.\pipe\gecko-crash-server-pipe.5972" 1a3f4f6e110 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7%
Total number of Nodes:	1573
Total number of Limit Nodes:	50

Executed Functions

Function 001542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0015430D

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

GetCurrentProcess.KERNEL32(?,001ECB64,00000000,?,?), ref: 00154422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00154429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00154454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00154466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00154474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0015447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001544A0

Strings

kernel32.dll, xrefs: 0015444F
GetNativeSystemInfo, xrefs: 00154460
|O, xrefs: 001936F8

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 240c760eb0e82da9d2a588675ec6738c74e7775eb517bcdbb185bff271dcdb08
Instruction ID: 22279f1435e5948761dc6f94fb5d01f71915e6be01572e06a91aeca22725e525
Opcode Fuzzy Hash: 240c760eb0e82da9d2a588675ec6738c74e7775eb517bcdbb185bff271dcdb08
Instruction Fuzzy Hash: DCA1B66290A2C0EFCB35CBE97C4C9997FA67B36304B0874D9E45197A61D33046ABCB61

Function 001542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001550AA,?,?,00000000,00000000), ref: 001542B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001550AA,?,?,00000000,00000000), ref: 001542C9
LoadResource.KERNEL32(?,00000000,?,?,001550AA,?,?,00000000,00000000,?,?,?,?,?,?,00154F20), ref: 001935BE
SizeofResource.KERNEL32(?,00000000,?,?,001550AA,?,?,00000000,00000000,?,?,?,?,?,?,00154F20), ref: 001935D3
LockResource.KERNEL32(001550AA,?,?,001550AA,?,?,00000000,00000000,?,?,?,?,?,?,00154F20,?), ref: 001935E6

Strings

SCRIPT, xrefs: 001542BF

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: ac72ea9211f716bc877a8379519253496d4644c31e57652ac41b0543c50c65cb
Instruction ID: 2d84d6eb4e90176d410e896e0c7df889038c66e723828ae807ea6bd24b13b1cf
Opcode Fuzzy Hash: ac72ea9211f716bc877a8379519253496d4644c31e57652ac41b0543c50c65cb
Instruction Fuzzy Hash: 2711C270200701FFD7218BA5EC88F2B7BB9EBC5B56F104169F913CA550DB71DC458660

Function 00192BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00152B6B

Part of subcall function 00153A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00221418,?,00152E7F,?,?,?,00000000), ref: 00153A78

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00212224), ref: 00192C10
ShellExecuteW.SHELL32(00000000,?,?,00212224), ref: 00192C17

Strings

runas, xrefs: 00192C0B

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 395721a78fb820e86a772af235a69ea0e52c1e5a93e22a1979d01cca1cf6812a
Instruction ID: ebea74c824aaa9a418887711b52f2fa7500cc38d7cba04a52d75cc58b4ae3fb6
Opcode Fuzzy Hash: 395721a78fb820e86a772af235a69ea0e52c1e5a93e22a1979d01cca1cf6812a
Instruction Fuzzy Hash: AC119332204345EAC718FFA0E851DAD77A4ABB6342F44142DF8765F0A2DF31955EC752

Function 001BD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001BD501
Process32FirstW.KERNEL32(00000000,?), ref: 001BD50F
Process32NextW.KERNEL32(00000000,?), ref: 001BD52F
CloseHandle.KERNELBASE(00000000), ref: 001BD5DC

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: eee654ed68d241c6c11964aca8c6868bb4f5b5e50700c708d461648c4cd63562
Instruction ID: 47fcbbaa182a48eac7e539164a4c5f0a60f023f616c78ad5da5e7a6c0caacac8
Opcode Fuzzy Hash: eee654ed68d241c6c11964aca8c6868bb4f5b5e50700c708d461648c4cd63562
Instruction Fuzzy Hash: 19319031008340DFD314EF54D881AAFBBF8EFA9344F54092DF9918A1A1EB719989CB92

Function 001BDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00195222), ref: 001BDBCE
GetFileAttributesW.KERNELBASE(?), ref: 001BDBDD
FindFirstFileW.KERNEL32(?,?), ref: 001BDBEE
FindClose.KERNEL32(00000000), ref: 001BDBFA

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 8ca1aac5982ec2a1784c3ff525446598cc6e5b3461bb71809edcd7d85cfb7ce7
Instruction ID: c9b63c0114dc520e3fbedca63bea8d9aed94008bfbd053fa7e804c1cc7e91434
Opcode Fuzzy Hash: 8ca1aac5982ec2a1784c3ff525446598cc6e5b3461bb71809edcd7d85cfb7ce7
Instruction Fuzzy Hash: BAF0A0308109109782246BB8AC4E8AE3B6D9F06334B10470AF936C24E0FBB05D9686D5

Function 00174CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001828E9,?,00174CBE,001828E9,002188B8,0000000C,00174E15,001828E9,00000002,00000000,?,001828E9), ref: 00174D09
TerminateProcess.KERNEL32(00000000,?,00174CBE,001828E9,002188B8,0000000C,00174E15,001828E9,00000002,00000000,?,001828E9), ref: 00174D10
ExitProcess.KERNEL32 ref: 00174D22

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dfa6e6311f33323395abbf339abff63f72ffdd7b3eda6dc1f8acb25304a6499f
Instruction ID: 1c807072b102770047d93a06dc622fd4619fab239725dec4ea4504903891d686
Opcode Fuzzy Hash: dfa6e6311f33323395abbf339abff63f72ffdd7b3eda6dc1f8acb25304a6499f
Instruction Fuzzy Hash: 93E0B631000188AFCF21AFD4DD59A583B79FB61781B158014FC599A522DB35EE92CB80

Function 0015BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#", xrefs: 001A07CE

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#"
API String ID: 3964851224-3229190087
Opcode ID: 4301250e4e86c565338f78b6bdfb2946df2af83b37056d6b77473246ccba3597
Instruction ID: 18b92ae40d694f8b4b1cb67cbbd9c609072b49c9e47cf5b2eff5ebb1d2d24c39
Opcode Fuzzy Hash: 4301250e4e86c565338f78b6bdfb2946df2af83b37056d6b77473246ccba3597
Instruction Fuzzy Hash: 2EA26A74A08301DFC715DF18C480B6ABBE1BF99304F15896DE8AA9B352D771EC49CB92

Function 001DAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 001DB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001DB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001DB1D4
_wcslen.LIBCMT ref: 001DB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001DB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001DB236
_wcslen.LIBCMT ref: 001DB332

Part of subcall function 001C05A7: GetStdHandle.KERNEL32(000000F6), ref: 001C05C6

_wcslen.LIBCMT ref: 001DB34B
_wcslen.LIBCMT ref: 001DB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001DB3B6
GetLastError.KERNEL32(00000000), ref: 001DB407
CloseHandle.KERNEL32(?), ref: 001DB439
CloseHandle.KERNEL32(00000000), ref: 001DB44A
CloseHandle.KERNEL32(00000000), ref: 001DB45C
CloseHandle.KERNEL32(00000000), ref: 001DB46E
CloseHandle.KERNEL32(?), ref: 001DB4E3

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 83ddea54e391867a19beec012330596ecab55c935d503d106d4a9ae32d7467f5
Instruction ID: 7f5e906cb782ac9c7ac8d13197de103f6d8500bbf66caaa21838b6687145cb3e
Opcode Fuzzy Hash: 83ddea54e391867a19beec012330596ecab55c935d503d106d4a9ae32d7467f5
Instruction Fuzzy Hash: 8CF16731608340DFC714EF24D891A6EBBE1AF95314F15855EF89A8B3A2DB31EC45CB92

Function 0015D730 Relevance: 21.6, APIs: 14, Instructions: 621windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0015D807
timeGetTime.WINMM ref: 0015DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0015DB28
TranslateMessage.USER32(?), ref: 0015DB7B
DispatchMessageW.USER32(?), ref: 0015DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0015DB9F
Sleep.KERNELBASE(0000000A), ref: 0015DBB1

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: ed6d8e1012cba42ddd01e7484d9caac36845e66123e93256267a28eb92be596a
Instruction ID: 9eef2bd8b21c24a71ea063b0ad71f7351fae7f4cc0c81e5461f4bfac29f06e6a
Opcode Fuzzy Hash: ed6d8e1012cba42ddd01e7484d9caac36845e66123e93256267a28eb92be596a
Instruction Fuzzy Hash: C0422434608341EFD739CF24D884BAAB7E1BF56315F14851DF8668B2A1D770E888CB92

Function 00152CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00152D07
RegisterClassExW.USER32(00000030), ref: 00152D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00152D42
InitCommonControlsEx.COMCTL32(?), ref: 00152D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00152D6F
LoadIconW.USER32(000000A9), ref: 00152D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00152D94

Strings

0, xrefs: 00152CE9
+, xrefs: 00152CF0
AutoIt v3 GUI, xrefs: 00152D23
TaskbarCreated, xrefs: 00152D37

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 393e87357262f625bcd433c5f229192c53d5805d20eff818350458c81381a417
Instruction ID: f220f92beb78e75089e2b27634b59152673c77134e32fc2e4ae806c0524f9357
Opcode Fuzzy Hash: 393e87357262f625bcd433c5f229192c53d5805d20eff818350458c81381a417
Instruction Fuzzy Hash: E521B2B5D01258AFDB10DFE8ED89A9DBBB4FB08704F00511AF911AA2A0D7B14596CF91

Function 0019065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0019039A: CreateFileW.KERNELBASE(00000000,00000000,?,00190704,?,?,00000000,?,00190704,00000000,0000000C), ref: 001903B7

GetLastError.KERNEL32 ref: 0019076F
__dosmaperr.LIBCMT ref: 00190776
GetFileType.KERNELBASE(00000000), ref: 00190782
GetLastError.KERNEL32 ref: 0019078C
__dosmaperr.LIBCMT ref: 00190795
CloseHandle.KERNEL32(00000000), ref: 001907B5
CloseHandle.KERNEL32(?), ref: 001908FF
GetLastError.KERNEL32 ref: 00190931
__dosmaperr.LIBCMT ref: 00190938

Strings

H, xrefs: 001908BD

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: dd29e7648831ef77aae96efeb2537e84f0c64d52af1e53b066db5272329f35da
Instruction ID: 896c7a75568dfb04cb60b2deaf355aae5e2707f52066c283392bd72e4042ca27
Opcode Fuzzy Hash: dd29e7648831ef77aae96efeb2537e84f0c64d52af1e53b066db5272329f35da
Instruction Fuzzy Hash: 60A12632A041449FDF1AEFA8DC95BAE7BA1AB0A320F14415DF8159F392DB319D13CB91

Function 0015344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00153A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00221418,?,00152E7F,?,?,?,00000000), ref: 00153A78

Part of subcall function 00153357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00153379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0015356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0019318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001931CE
RegCloseKey.ADVAPI32(?), ref: 00193210
_wcslen.LIBCMT ref: 00193277
_wcslen.LIBCMT ref: 00193286

Strings

Include, xrefs: 00193184, 001931C5
Software\AutoIt v3\AutoIt, xrefs: 00153560
\, xrefs: 0019328C
\Include\, xrefs: 00153527

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 3ca2037d1c961de87ff27ae5e5d1cc9302f3b6ac8f01cb58754def0adb2cb818
Instruction ID: 387e2a8fa13d084288f1438e1125601ca0a7066f27d1997106f025b3993c0680
Opcode Fuzzy Hash: 3ca2037d1c961de87ff27ae5e5d1cc9302f3b6ac8f01cb58754def0adb2cb818
Instruction Fuzzy Hash: 58717D71404301FEC724EFA5EC8586BBBE8FFA4340B80146EF955971A1EB359A4ECB52

Function 00152B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00152B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00152B9D
LoadIconW.USER32(00000063), ref: 00152BB3
LoadIconW.USER32(000000A4), ref: 00152BC5
LoadIconW.USER32(000000A2), ref: 00152BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00152BEF
RegisterClassExW.USER32(?), ref: 00152C40

Part of subcall function 00152CD4: GetSysColorBrush.USER32(0000000F), ref: 00152D07
Part of subcall function 00152CD4: RegisterClassExW.USER32(00000030), ref: 00152D31
Part of subcall function 00152CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00152D42
Part of subcall function 00152CD4: InitCommonControlsEx.COMCTL32(?), ref: 00152D5F
Part of subcall function 00152CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00152D6F
Part of subcall function 00152CD4: LoadIconW.USER32(000000A9), ref: 00152D85
Part of subcall function 00152CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00152D94

Strings

#, xrefs: 00152C16
0, xrefs: 00152C0F
AutoIt v3, xrefs: 00152C2F

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: c619eebd999e65a80e4f93fded6aea761491e80e4d3b47599afd59e7125f83f3
Instruction ID: 1304dc6d78f2f16c4ba3c4b46fe6eae8ac0fdc18bf6d3dc6ab4368f21da69224
Opcode Fuzzy Hash: c619eebd999e65a80e4f93fded6aea761491e80e4d3b47599afd59e7125f83f3
Instruction Fuzzy Hash: 0021FA71E00354BBDB20DFE5FC99E9D7FB6FB58B50F0410AAE500A66A0D7B105528F90

Function 00153170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0015316A,?,?), ref: 001531D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0015316A,?,?), ref: 00153204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00153227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0015316A,?,?), ref: 00153232
CreatePopupMenu.USER32 ref: 00153246
PostQuitMessage.USER32(00000000), ref: 00153267

Strings

TaskbarCreated, xrefs: 0015322D

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: d58a2f3e1fceae2401e52c66054e8fd08b7eae91e3c0f67f98f52ad4c1e12e4e
Instruction ID: 389454fc490a789ce3d0748bcb41b302b47e659529619440398dac85b043004b
Opcode Fuzzy Hash: d58a2f3e1fceae2401e52c66054e8fd08b7eae91e3c0f67f98f52ad4c1e12e4e
Instruction Fuzzy Hash: 36416B34600644FBDF286BF8AC8DF7D3A5AE715382F040125FD318F1A1CB718A9997A1

Function 00151410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00151459
CoUninitialize.COMBASE ref: 001514F8
UnregisterHotKey.USER32(?), ref: 001516DD
DestroyWindow.USER32(?), ref: 001924B9
FreeLibrary.KERNEL32(?), ref: 0019251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0019254B

Strings

close all, xrefs: 00151454

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 2051dd0d7f46600a3967f485e30e8059d3de0dc6c83c080d98da64a59224d6ae
Instruction ID: 82f84ae62a18c6b537ae1d07f9b465c31bb818a333fab6c1dc3d7db47daa79d0
Opcode Fuzzy Hash: 2051dd0d7f46600a3967f485e30e8059d3de0dc6c83c080d98da64a59224d6ae
Instruction Fuzzy Hash: B5D1BD31701212EFDB2AEF14D899B69F7A0BF15301F1541ADE85A6B252DB30EC16CF90

Function 00152C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00152C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00152CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00151CAD,?), ref: 00152CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00151CAD,?), ref: 00152CCF

Strings

AutoIt v3, xrefs: 00152C89, 00152C8E, 00152C8F
edit, xrefs: 00152CAC

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 609bedc9f948df990950406489f3f230b16dc9bb547066eab377f04b45e4842f
Instruction ID: b3610b9807e9c10911eb4002153c4be3c31df604297b6eb06743b222432c2d5d
Opcode Fuzzy Hash: 609bedc9f948df990950406489f3f230b16dc9bb547066eab377f04b45e4842f
Instruction Fuzzy Hash: 6BF03A759403D47AEB304797BC4CE7B3EBED7DAF50B0110AAF900A65A0C2710862DAB0

Function 00153B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00153B0F,SwapMouseButtons,00000004,?), ref: 00153B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00153B0F,SwapMouseButtons,00000004,?), ref: 00153B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00153B0F,SwapMouseButtons,00000004,?), ref: 00153B83

Strings

Control Panel\Mouse, xrefs: 00153B3E

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: f48dbbc770470e6fda1ec9a14b0e8887d808ae09f95cbef7ccf183ce99fb5b9c
Instruction ID: f0334f4aea488dab96224e12e8b01e6d658bb8a024b8cbc38965afd9d38cb95c
Opcode Fuzzy Hash: f48dbbc770470e6fda1ec9a14b0e8887d808ae09f95cbef7ccf183ce99fb5b9c
Instruction Fuzzy Hash: F1112AB5510218FFDB21CFA5DC84AAEB7B8EF44785B104459F825DB110D3319F4597A0

Function 00153923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001933A2

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00153A04

Strings

Line: , xrefs: 001933EB

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 796872d8faad18f842dfc9db2350fa4cd7c57b16d0731a0f27b18f7209947c80
Instruction ID: 45db604e97f9be54285074f500d90cd7ba81e5562891da5f36c691529aec36c2
Opcode Fuzzy Hash: 796872d8faad18f842dfc9db2350fa4cd7c57b16d0731a0f27b18f7209947c80
Instruction Fuzzy Hash: B031D071408304EAC725EB60EC45FEBB7E8AB64355F00496AF9B98B091DB70965DC7C2

Function 00152DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00192C8C

Part of subcall function 00153AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00153A97,?,?,00152E7F,?,?,?,00000000), ref: 00153AC2

Part of subcall function 00152DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00152DC4

Strings

`e!, xrefs: 00192C85
X, xrefs: 00192C5A

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e!
API String ID: 779396738-4247064546
Opcode ID: b61e56b9f93613f5df470afa4b12179bcfd770656f9c41f8629f370578f00c78
Instruction ID: 23da9e6a72118012514a764e8b9dee6ff7fd8b9a096deeb11fa974ccc1de7399
Opcode Fuzzy Hash: b61e56b9f93613f5df470afa4b12179bcfd770656f9c41f8629f370578f00c78
Instruction Fuzzy Hash: 4F21C671A10258AFDF01DF94C849BEE7BF8AF59305F004059E815AB241DBB4558DCBA1

Function 0016FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00170668

Part of subcall function 001732A4: RaiseException.KERNEL32(?,?,?,0017068A,?,00221444,?,?,?,?,?,?,0017068A,00151129,00218738,00151129), ref: 00173304

__CxxThrowException@8.LIBVCRUNTIME ref: 00170685

Strings

Unknown exception, xrefs: 00170692

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: f7f01b169ffec3e30b8ad477875470ea52c77acd4776b2e7664ec09e750eed5e
Instruction ID: db31edd7bda9dbad8db7d786f4887efe2cb9241e137d192a7372764bbf91e7e1
Opcode Fuzzy Hash: f7f01b169ffec3e30b8ad477875470ea52c77acd4776b2e7664ec09e750eed5e
Instruction Fuzzy Hash: 95F0C23490030DB7CB05BAA4EC96C9E7BBC5E64350B60C135B82C965D2EF71EB76C980

Function 001510F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00151BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00151BF4
Part of subcall function 00151BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00151BFC
Part of subcall function 00151BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00151C07
Part of subcall function 00151BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00151C12
Part of subcall function 00151BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00151C1A
Part of subcall function 00151BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00151C22

Part of subcall function 00151B4A: RegisterWindowMessageW.USER32(00000004,?,001512C4), ref: 00151BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0015136A
OleInitialize.OLE32 ref: 00151388
CloseHandle.KERNEL32(00000000,00000000), ref: 001924AB

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: f6e48753ab9ad0e9a226bbaf785cbd2e583a9f3741b804c79c95fdc552d722d9
Instruction ID: b7e3722a0c2ae6b87b1220d582af9d9f125d0cca09defd9e3b1e8167a2f9fc4c
Opcode Fuzzy Hash: f6e48753ab9ad0e9a226bbaf785cbd2e583a9f3741b804c79c95fdc552d722d9
Instruction Fuzzy Hash: 4171D1B4811244BED7A4EFF9BD89E553AE0BBB834439462BAD41ACB261E7344437CF41

Function 001BC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00153923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00153A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001BC259
KillTimer.USER32(?,00000001,?,?), ref: 001BC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001BC270

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: a4548f3ad64119d3cce7bfe273708657b187fdb69f5d36a7266d5e257f74bc21
Instruction ID: 230647a0e1a6dedd0183bc54085b31e116e958e85f8156986c221c994491767f
Opcode Fuzzy Hash: a4548f3ad64119d3cce7bfe273708657b187fdb69f5d36a7266d5e257f74bc21
Instruction Fuzzy Hash: 99319570904384AFEB32DF648895BEBBBED9B16304F0004DAD5DAA7241C7745A85CB91

Function 001886AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,001885CC,?,00218CC8,0000000C), ref: 00188704
GetLastError.KERNEL32(?,001885CC,?,00218CC8,0000000C), ref: 0018870E
__dosmaperr.LIBCMT ref: 00188739

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: fe54fc5881fbe1bb2b9ba0caba8ad4ec6a26aa326cad3875413a445b5667cc96
Instruction ID: e18fbbcb7a22c04552bfd8c4311a74cff24dfe44b4008bbd8a2a9dba4590c955
Opcode Fuzzy Hash: fe54fc5881fbe1bb2b9ba0caba8ad4ec6a26aa326cad3875413a445b5667cc96
Instruction Fuzzy Hash: AA018932A0466026C3347374A889B7E275A9B92774F79011DFC188B1D3EFA0DE828F90

Function 0015DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0015DB7B
DispatchMessageW.USER32(?), ref: 0015DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0015DB9F
Sleep.KERNELBASE(0000000A), ref: 0015DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 001A1CC9

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: b4c9737810332ffb2b6898ff120c0b7b435930c6a10d862223827feefc31282c
Instruction ID: 3b3628171a57941c0aad52fa53eb6add6d126ae4343e1e72b2528c76eeb6a29c
Opcode Fuzzy Hash: b4c9737810332ffb2b6898ff120c0b7b435930c6a10d862223827feefc31282c
Instruction Fuzzy Hash: A1F0FE31644380EBE734CBF09C89FAA73A9EF55711F104629EA5ACB4D0DB3094998B56

Function 00161310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001617F6

Strings

CALL, xrefs: 001617C6

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 6f600c569b5d90cd3efefe0d205361ab732d88c8be5564b913ed70d33a05209b
Instruction ID: e62a7f3171b7e9c9f78c7abf41bc3218ac573b2289cfa89c4ddb93691e861322
Opcode Fuzzy Hash: 6f600c569b5d90cd3efefe0d205361ab732d88c8be5564b913ed70d33a05209b
Instruction Fuzzy Hash: 93229C74608341EFC714DF14C884A2ABBF1BF9A314F19895DF49A8B361D771E865CB82

Function 00153837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00153908

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: faa1104ff986216718eef76240f689d14ad703086301feb3de540e6c76bd7908
Instruction ID: a4d6993749833659bc8b2e26ca2dc6817443b920e4babc63e1648584db71ec1c
Opcode Fuzzy Hash: faa1104ff986216718eef76240f689d14ad703086301feb3de540e6c76bd7908
Instruction Fuzzy Hash: 4C31C370504300DFD721DF64D884B97BBE4FB59349F00096EF9B98B240E771AA58CB52

Function 0016F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0016F661

Part of subcall function 0015D730: GetInputState.USER32 ref: 0015D807

Sleep.KERNEL32(00000000), ref: 001AF2DE

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 87ce9b870d40ab876c612d0293cdf3563d1d2e05db092c39df0e2ee45e5c1211
Instruction ID: f0d6b388c59ccf14ad73c33e23fc5fc28244b819ad817031bbe7dad9bc10c4c3
Opcode Fuzzy Hash: 87ce9b870d40ab876c612d0293cdf3563d1d2e05db092c39df0e2ee45e5c1211
Instruction Fuzzy Hash: 61F08231244205DFD314EF75E885B5AB7E4EF59761F000029E859CB260DB70A845CB90

Function 00154ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00154E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00154EDD,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E9C
Part of subcall function 00154E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00154EAE
Part of subcall function 00154E90: FreeLibrary.KERNEL32(00000000,?,?,00154EDD,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154EFD

Part of subcall function 00154E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00193CDE,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E62
Part of subcall function 00154E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00154E74
Part of subcall function 00154E59: FreeLibrary.KERNEL32(00000000,?,?,00193CDE,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E87

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: f32eeda59d358b207b6d847c99ae75751666db2f49ae4877ae19baa38fbebb68
Instruction ID: 501098067aefdcdbef2e4c27f7a51e3fbaababab33a5ad6c587006d69eddd621
Opcode Fuzzy Hash: f32eeda59d358b207b6d847c99ae75751666db2f49ae4877ae19baa38fbebb68
Instruction Fuzzy Hash: DE112731600205EBCF14AB68DC03FAD77A59F60716F10842EF962AE1C1EF749A899B90

Function 00188402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00188440

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 80122547a7aed2b4037712062a4c4b51d6ddb010f8cf338af3cda2cc05d62ff4
Instruction ID: 237f13ae5aae9d315b32253252335dde486ff305c5ad59a887ca06a2d954d51f
Opcode Fuzzy Hash: 80122547a7aed2b4037712062a4c4b51d6ddb010f8cf338af3cda2cc05d62ff4
Instruction Fuzzy Hash: 4C11187690410AAFCF15DF58E945A9A7BF5EF48314F114059FC08AB312DB31EA11CBA5

Function 00185000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00184C7D: RtlAllocateHeap.NTDLL(00000008,00151129,00000000,?,00182E29,00000001,00000364,?,?,?,0017F2DE,00183863,00221444,?,0016FDF5,?), ref: 00184CBE

_free.LIBCMT ref: 0018506C

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 266b106783a09d40fc3a11361281d71a201ecbff4244b16dab8b766888f416d1
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 1A0126726047056BE3219E699881A9AFBEDFB89370F25051DF19483280EB30AA05CBB4

Function 0017E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 9192162ffa43677d8bf2b1cab57c54a852e11a505a80a1161616c7fa7224d287
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: F1F0F432510A14A6C7323A699C05B5A33F89F76334F218759F829931D2DB74D9028EA5

Function 00184C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00151129,00000000,?,00182E29,00000001,00000364,?,?,?,0017F2DE,00183863,00221444,?,0016FDF5,?), ref: 00184CBE

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4186f91697133df72af486308c6d68f2f8b73cec8d19e3f3014b224e4eae5759
Instruction ID: 8db534bfd4602312ff9ad2ea16adc138193b03fff17381b268addba93e7c215b
Opcode Fuzzy Hash: 4186f91697133df72af486308c6d68f2f8b73cec8d19e3f3014b224e4eae5759
Instruction Fuzzy Hash: C3F0E231602226A7DB217F629C09F6B779CBF517B0B158125F819AA281CF30DA019FE0

Function 00183820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6,?,00151129), ref: 00183852

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9ef2e33a7c6039a8854e25277eeb00b2972a405547d0d93aa9bd63c05781e6dd
Instruction ID: ca1e5ffeb78cbc3c9f5ffbcdd1f886644a5b74298dc14cf5c30ea4e0e75842e8
Opcode Fuzzy Hash: 9ef2e33a7c6039a8854e25277eeb00b2972a405547d0d93aa9bd63c05781e6dd
Instruction Fuzzy Hash: 24E06531601224A7D63137A69C05B9B3659AB53FB0F1D4225BC39A65D1DB21DF028BE1

Function 00154F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154F6D

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: f06c731ea1d0295a420e8a1efd795d577c73adf9c90e477d90118cc40548df0d
Instruction ID: c274e3cab27d9c4fe7ca6e658373c3cfeed37e84bc4eb7e34f6a84454f370eab
Opcode Fuzzy Hash: f06c731ea1d0295a420e8a1efd795d577c73adf9c90e477d90118cc40548df0d
Instruction Fuzzy Hash: 9FF03071105751CFDB389F6CD490856B7F4AF1431E324897FE5EA8A511C7319888DF50

Function 001E2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001E2A66

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 79fdba2c3613d7660eec6ccef7b9c08b2a0065371dc1a76045bf5d0dc52410cf
Instruction ID: c122ab9e257a02b32369f82f3ead8a2fdbd1d75c226d16c55bc4bb1171bcd0a9
Opcode Fuzzy Hash: 79fdba2c3613d7660eec6ccef7b9c08b2a0065371dc1a76045bf5d0dc52410cf
Instruction Fuzzy Hash: BBE0DF36340556ABC714EA31EC908FE734CEBA0398704443AEC26C3500DB30999182E0

Function 001530F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0015314E

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 050d4b4db50c28e5ae96b3b90c77079c696bee7f5028e7bfc121455c1a76b6d6
Instruction ID: c1f4b7135ad379ed69f02c171d4136c2ea59627b5c5ae35e4d591989b214af0d
Opcode Fuzzy Hash: 050d4b4db50c28e5ae96b3b90c77079c696bee7f5028e7bfc121455c1a76b6d6
Instruction Fuzzy Hash: FEF0A770900348AFE762DB64EC49BD97BBCA701708F0000E5A54897181D7704799CF41

Function 00152DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00152DC4

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 63b820c59a015440930083b23cc156460eca80ee5d47d6f3796c1450b1e73343
Instruction ID: 0f8d8b00ee095c2fad70037e07bc94a94d6d71952ed2b50350fbd9ea1d371ab0
Opcode Fuzzy Hash: 63b820c59a015440930083b23cc156460eca80ee5d47d6f3796c1450b1e73343
Instruction Fuzzy Hash: 1FE0CD726001245BCB1092989C06FEA77DDDFC8790F040071FD09D7248DA70ADC48590

Function 00152B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00153837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00153908

Part of subcall function 0015D730: GetInputState.USER32 ref: 0015D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00152B6B

Part of subcall function 001530F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0015314E

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 5245ebc40ae21ac20460ef170eb034f1c116b6847d5d51e7a27a3be8c95f4404
Instruction ID: 6a5e2ced6c320aa542ad8b84e63477d3500cb0dcd2ff9d8b2cef9be1383cd4d6
Opcode Fuzzy Hash: 5245ebc40ae21ac20460ef170eb034f1c116b6847d5d51e7a27a3be8c95f4404
Instruction Fuzzy Hash: 64E0262230024492C608BBB0B8528ADB7599BF1393F40153EF8768F1A3CF20459EC352

Function 0019039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00190704,?,?,00000000,?,00190704,00000000,0000000C), ref: 001903B7

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 92ad80be1a8b5e84785cd9e18822406134445285d4fa554f582d6f6398a23406
Instruction ID: 263ca8a7be3c85cdedb0e1741aa2d76239c49ba3c2e2e45523dbede234988dcb
Opcode Fuzzy Hash: 92ad80be1a8b5e84785cd9e18822406134445285d4fa554f582d6f6398a23406
Instruction Fuzzy Hash: A8D06C3204014DFBDF029F84DD46EDA3FAAFB48714F014000BE1856020C732E862AB91

Function 00151CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00151CBC

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: b3970d8e762584551636f77641a773482374235680d34a3536d592eef430d3c5
Instruction ID: 5095d367b59a5931935b5d184ef67e570825c68cac49f9b677528450d7295d32
Opcode Fuzzy Hash: b3970d8e762584551636f77641a773482374235680d34a3536d592eef430d3c5
Instruction Fuzzy Hash: 0AC09B35380345FFF23487C0BC4EF147755A75CB00F449001F609695E3C3A21471D690

Non-executed Functions

Function 001E9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 001E961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001E965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 001E969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001E96C9
SendMessageW.USER32 ref: 001E96F2
GetKeyState.USER32(00000011), ref: 001E978B
GetKeyState.USER32(00000009), ref: 001E9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001E97AE
GetKeyState.USER32(00000010), ref: 001E97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001E97E9
SendMessageW.USER32 ref: 001E9810
SendMessageW.USER32(?,00001030,?,001E7E95), ref: 001E9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 001E992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 001E9941
SetCapture.USER32(?), ref: 001E994A
ClientToScreen.USER32(?,?), ref: 001E99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001E99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001E99D6
ReleaseCapture.USER32 ref: 001E99E1
GetCursorPos.USER32(?), ref: 001E9A19
ScreenToClient.USER32(?,?), ref: 001E9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 001E9A80
SendMessageW.USER32 ref: 001E9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 001E9AEB
SendMessageW.USER32 ref: 001E9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001E9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 001E9B4A
GetCursorPos.USER32(?), ref: 001E9B68
ScreenToClient.USER32(?,?), ref: 001E9B75
GetParent.USER32(?), ref: 001E9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 001E9BFA
SendMessageW.USER32 ref: 001E9C2B
ClientToScreen.USER32(?,?), ref: 001E9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 001E9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 001E9CDE
SendMessageW.USER32 ref: 001E9D01
ClientToScreen.USER32(?,?), ref: 001E9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 001E9D82

Part of subcall function 00169944: GetWindowLongW.USER32(?,000000EB), ref: 00169952

GetWindowLongW.USER32(?,000000F0), ref: 001E9E05

Strings

p#", xrefs: 001E9990
F, xrefs: 001E9D07
@GUI_DRAGID, xrefs: 001E997D

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#"
API String ID: 3429851547-1047118953
Opcode ID: 7c7c4c579d1bf95f24224205720e7e107deeda4b4aef068e47f0d70e960e33b0
Instruction ID: 279d97150fe9a2c962686be5d7b86b5a0e154bd01ffcf9c16e3175b489333b5b
Opcode Fuzzy Hash: 7c7c4c579d1bf95f24224205720e7e107deeda4b4aef068e47f0d70e960e33b0
Instruction Fuzzy Hash: 91428C70604680AFD724CF66CC84EAEBBF5FF49310F14061AFA598B2A1D77198A5CF81

Function 001E4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001E48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 001E4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 001E4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 001E494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 001E495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 001E497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001E49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001E49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 001E4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001E4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001E4A7E
IsMenu.USER32(?), ref: 001E4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001E4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001E4B20
GetWindowLongW.USER32(?,000000F0), ref: 001E4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 001E4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 001E4C82
wsprintfW.USER32 ref: 001E4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001E4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 001E4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001E4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001E4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 001E4D5A

Strings

%d/%02d/%02d, xrefs: 001E4CA8

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 97d73b00d799e1210d3a8c278152ca1ca4cd90996d1d637f0b2be4f59f1a3e7b
Instruction ID: 79083e14ba169be7842d394b5b2c23bfa05bba7b125f48832ccfb2d3e4092715
Opcode Fuzzy Hash: 97d73b00d799e1210d3a8c278152ca1ca4cd90996d1d637f0b2be4f59f1a3e7b
Instruction Fuzzy Hash: 9912F231A00684ABEB248F69DC49FAF7BF8EF49710F144129F916EB2E1D7749941CB50

Function 0016F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0016F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001AF474
IsIconic.USER32(00000000), ref: 001AF47D
ShowWindow.USER32(00000000,00000009), ref: 001AF48A
SetForegroundWindow.USER32(00000000), ref: 001AF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001AF4AA
GetCurrentThreadId.KERNEL32 ref: 001AF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001AF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 001AF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 001AF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 001AF4DE
SetForegroundWindow.USER32(00000000), ref: 001AF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 001AF4F6
keybd_event.USER32(00000012,00000000), ref: 001AF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 001AF50B
keybd_event.USER32(00000012,00000000), ref: 001AF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 001AF519
keybd_event.USER32(00000012,00000000), ref: 001AF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 001AF528
keybd_event.USER32(00000012,00000000), ref: 001AF52D
SetForegroundWindow.USER32(00000000), ref: 001AF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 001AF557

Strings

Shell_TrayWnd, xrefs: 001AF46F

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 1a57ac36e70ee863361d0286729292ccb6460a3fcfcb008be90bd732da5a462b
Instruction ID: 69f32ccf145a88b4cdcabd124d56a2d5d4e21a39452486ed25d48656a4cbcedd
Opcode Fuzzy Hash: 1a57ac36e70ee863361d0286729292ccb6460a3fcfcb008be90bd732da5a462b
Instruction Fuzzy Hash: 79314175B40258BFEB206BE55C89FBF7E6DEB45B50F100029FA00EA1D1C7B05942AAA0

Function 001B1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 001B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001B170D
Part of subcall function 001B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001B173A
Part of subcall function 001B16C3: GetLastError.KERNEL32 ref: 001B174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 001B1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001B12A8
CloseHandle.KERNEL32(?), ref: 001B12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001B12D1
GetProcessWindowStation.USER32 ref: 001B12EA
SetProcessWindowStation.USER32(00000000), ref: 001B12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 001B1310

Part of subcall function 001B10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001B11FC), ref: 001B10D4
Part of subcall function 001B10BF: CloseHandle.KERNEL32(?,?,001B11FC), ref: 001B10E9

Strings

default, xrefs: 001B130B
Z!, xrefs: 001B1392
winsta0, xrefs: 001B12CC
, xrefs: 001B125A

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z!
API String ID: 22674027-3215132610
Opcode ID: 8ad18ecbaf83c862ebca1ca38414fdd4947addeb463dde9bd26feda0b8010578
Instruction ID: 9105ee5edfa453d83b831d06af66bc9ea284ba980c8a85a69b11ae768dd9df97
Opcode Fuzzy Hash: 8ad18ecbaf83c862ebca1ca38414fdd4947addeb463dde9bd26feda0b8010578
Instruction Fuzzy Hash: F6818B71900249BFDF219FA4DC99FEE7BB9FF08704F154129F910A62A0DB718A95CB60

Function 001B0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001B1114
Part of subcall function 001B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1120
Part of subcall function 001B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B112F
Part of subcall function 001B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1136
Part of subcall function 001B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001B0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001B0C00
GetLengthSid.ADVAPI32(?), ref: 001B0C17
GetAce.ADVAPI32(?,00000000,?), ref: 001B0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001B0C6D
GetLengthSid.ADVAPI32(?), ref: 001B0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001B0C8C
HeapAlloc.KERNEL32(00000000), ref: 001B0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001B0CB4
CopySid.ADVAPI32(00000000), ref: 001B0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001B0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001B0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001B0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0D45
HeapFree.KERNEL32(00000000), ref: 001B0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0D55
HeapFree.KERNEL32(00000000), ref: 001B0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0D65
HeapFree.KERNEL32(00000000), ref: 001B0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 001B0D78
HeapFree.KERNEL32(00000000), ref: 001B0D7F

Part of subcall function 001B1193: GetProcessHeap.KERNEL32(00000008,001B0BB1,?,00000000,?,001B0BB1,?), ref: 001B11A1
Part of subcall function 001B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001B0BB1,?), ref: 001B11A8
Part of subcall function 001B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001B0BB1,?), ref: 001B11B7

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 424fbaa48e33db09396dd5ce3b43a5bd04a0ec4b881c71cf12a0398e6243f98d
Instruction ID: e85c926202946918aaaaf372646a74cb385abfe11c4194fb40c47030a80f5435
Opcode Fuzzy Hash: 424fbaa48e33db09396dd5ce3b43a5bd04a0ec4b881c71cf12a0398e6243f98d
Instruction Fuzzy Hash: B2716B7690020AABDF11DFE4DC84BEFBBB8BF09310F044515F915AA1A1D771AA46CBA0

Function 001CEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(001ECC08), ref: 001CEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 001CEB37
GetClipboardData.USER32(0000000D), ref: 001CEB43
CloseClipboard.USER32 ref: 001CEB4F
GlobalLock.KERNEL32(00000000), ref: 001CEB87
CloseClipboard.USER32 ref: 001CEB91
GlobalUnlock.KERNEL32(00000000), ref: 001CEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 001CEBC9
GetClipboardData.USER32(00000001), ref: 001CEBD1
GlobalLock.KERNEL32(00000000), ref: 001CEBE2
GlobalUnlock.KERNEL32(00000000), ref: 001CEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 001CEC38
GetClipboardData.USER32(0000000F), ref: 001CEC44
GlobalLock.KERNEL32(00000000), ref: 001CEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 001CEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001CEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001CECD2
GlobalUnlock.KERNEL32(00000000), ref: 001CECF3
CountClipboardFormats.USER32 ref: 001CED14
CloseClipboard.USER32 ref: 001CED59

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 3fa127d3b071b0cdee6813af2fdf217bb8de672520feed363cba390c4ee90b52
Instruction ID: b52ee8486c02a4bbff46c1c70372c36913a94d289e6207ee75a2f7f202f06d9e
Opcode Fuzzy Hash: 3fa127d3b071b0cdee6813af2fdf217bb8de672520feed363cba390c4ee90b52
Instruction Fuzzy Hash: 2B619D342042429FD310EFA4DC85F7A77E4AFA4714F14451DF8669B2A2DB31DD8ACBA2

Function 001C698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001C69BE
FindClose.KERNEL32(00000000), ref: 001C6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001C6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001C6A75

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 001C6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 001C6ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 001C6B32
%4d%02d%02d%02d%02d%02d, xrefs: 001C6B6A
%03d, xrefs: 001C6DA2
%02d, xrefs: 001C6C00, 001C6C0A, 001C6C5A, 001C6CAA, 001C6CFA, 001C6D4A
%4d, xrefs: 001C6BB1

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 3c206e481cd911739daa3c373707ecef4cd55955af9806c6fd752ca51386184f
Instruction ID: ede99f6efc3b507eb69c58265ab1bb8cc1c1694130bedb3542276015a1c5e269
Opcode Fuzzy Hash: 3c206e481cd911739daa3c373707ecef4cd55955af9806c6fd752ca51386184f
Instruction Fuzzy Hash: 0DD15071508300AEC314DBA4DC82EAFB7E8AFA8705F44491DF995CB191EB74DA48C7A2

Function 001C9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 001C9663
GetFileAttributesW.KERNEL32(?), ref: 001C96A1
SetFileAttributesW.KERNEL32(?,?), ref: 001C96BB
FindNextFileW.KERNEL32(00000000,?), ref: 001C96D3
FindClose.KERNEL32(00000000), ref: 001C96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001C96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 001C974A
SetCurrentDirectoryW.KERNEL32(00216B7C), ref: 001C9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 001C9772
FindClose.KERNEL32(00000000), ref: 001C977F
FindClose.KERNEL32(00000000), ref: 001C978F

Strings

*.*, xrefs: 001C96F5

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: a0875ab335729fed06abc33b7698cacb29cdcf37b3b4eb0621efc9c2fbb20c7d
Instruction ID: 55954cf24a365900b1bbc544dc4939497ab7b6ea0c1479575ac82afad1bc5e79
Opcode Fuzzy Hash: a0875ab335729fed06abc33b7698cacb29cdcf37b3b4eb0621efc9c2fbb20c7d
Instruction Fuzzy Hash: 2731DF3254125AAACB14AFF4DC4DEDE77ACAF19320F104059E914E60A0DB70DE818E94

Function 001C979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 001C97BE
FindNextFileW.KERNEL32(00000000,?), ref: 001C9819
FindClose.KERNEL32(00000000), ref: 001C9824
FindFirstFileW.KERNEL32(*.*,?), ref: 001C9840
SetCurrentDirectoryW.KERNEL32(?), ref: 001C9890
SetCurrentDirectoryW.KERNEL32(00216B7C), ref: 001C98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001C98B8
FindClose.KERNEL32(00000000), ref: 001C98C5
FindClose.KERNEL32(00000000), ref: 001C98D5

Part of subcall function 001BDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001BDB00

Strings

*.*, xrefs: 001C983B

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: d95f823b25e9b20222e8a974e1e2374fc93aa01a22958857989c0ea7bc4a903f
Instruction ID: b41d630f7744eeec3afe4bd7041c9a53935a670594df71fe497f711e8abff7e2
Opcode Fuzzy Hash: d95f823b25e9b20222e8a974e1e2374fc93aa01a22958857989c0ea7bc4a903f
Instruction Fuzzy Hash: B831E13250069EAADB10AFB4EC4DFDE77ACAF26320F108159E914A30D1DB71DE858A64

Function 001DBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001DB6AE,?,?), ref: 001DC9B5
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DC9F1
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA68
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001DBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 001DBFA9
RegCloseKey.ADVAPI32(00000000), ref: 001DBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 001DC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 001DC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001DC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001DC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 001DC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001DC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001DC382
RegCloseKey.ADVAPI32(00000000), ref: 001DC38F

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 29067d9713a62638e27ec939bc80fcf42c3e078ee0ac49ab77756e40bfdd9f7c
Instruction ID: 15635fce2e1cc84095b97bab2fdd0b92282964ede9f4703f54ced1d569b6d1b3
Opcode Fuzzy Hash: 29067d9713a62638e27ec939bc80fcf42c3e078ee0ac49ab77756e40bfdd9f7c
Instruction Fuzzy Hash: E0023C71604201EFD714CF28C895E2ABBE5AF49318F19889DF85A8F3A2D731ED45CB91

Function 001C8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001C8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 001C8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001C8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001C8310
SetCurrentDirectoryW.KERNEL32(?), ref: 001C8324
SetCurrentDirectoryW.KERNEL32(?), ref: 001C8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001C838C
SetCurrentDirectoryW.KERNEL32(?), ref: 001C8395

Strings

*.*, xrefs: 001C839B

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 6517d764fe60f7c8030f16a84aac0dcb98d34eb60eeb5e5be57fe7dbc5f55f35
Instruction ID: 631fa9b0e7218815ae8d74771f6bacdd26f1ae552c13aeea003fb732116d9ff5
Opcode Fuzzy Hash: 6517d764fe60f7c8030f16a84aac0dcb98d34eb60eeb5e5be57fe7dbc5f55f35
Instruction Fuzzy Hash: 8D618D715143459FC710EF64D884EAEB3E8FFA9310F04881EF99987251EB31E949CB92

Function 001BD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00153AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00153A97,?,?,00152E7F,?,?,?,00000000), ref: 00153AC2

Part of subcall function 001BE199: GetFileAttributesW.KERNEL32(?,001BCF95), ref: 001BE19A

FindFirstFileW.KERNEL32(?,?), ref: 001BD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 001BD1DD
MoveFileW.KERNEL32(?,?), ref: 001BD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 001BD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 001BD237

Part of subcall function 001BD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,001BD21C,?,?), ref: 001BD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 001BD253
FindClose.KERNEL32(00000000), ref: 001BD264

Strings

\*.*, xrefs: 001BD0CD, 001BD0D6, 001BD0EB

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: acee6ecf1205a955fd102b88fec908fe313efe80d9a39f42fe1975be56589274
Instruction ID: 10f6049485debdbb7d8d068a47dae82dcce15a862d70293689e2f54112e65920
Opcode Fuzzy Hash: acee6ecf1205a955fd102b88fec908fe313efe80d9a39f42fe1975be56589274
Instruction Fuzzy Hash: 4A616E3180114DEBCF09EBE0ED929EDB7B5AF25305F6041A5E8127B192EB309F49CB61

Function 001CED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 001CED91
EmptyClipboard.USER32 ref: 001CED97
GlobalAlloc.KERNEL32(00000002,?), ref: 001CEDAC
CloseClipboard.USER32 ref: 001CEEA3

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 4491312509fa7833efb0df3316c5a74ad42b492f25fb97aa9e21489763a5ca9c
Instruction ID: bc904c38d51d00df5a90d8906bfcdd02f592ed1869a5f704d955e96fb1c58be3
Opcode Fuzzy Hash: 4491312509fa7833efb0df3316c5a74ad42b492f25fb97aa9e21489763a5ca9c
Instruction Fuzzy Hash: DF419D31204251AFD720DF55D889F2ABBE1EF54358F14809DE8268FA62C735EC82CBD0

Function 001BE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001B170D
Part of subcall function 001B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001B173A
Part of subcall function 001B16C3: GetLastError.KERNEL32 ref: 001B174A

ExitWindowsEx.USER32(?,00000000), ref: 001BE932

Strings

@, xrefs: 001BE925
SeShutdownPrivilege, xrefs: 001BE902
, xrefs: 001BE95C
, xrefs: 001BE920

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: d246d29cdf8dff98294542e5aa11ff17d8d71a180b02c0de9fedc5728404da5e
Instruction ID: 250e3ff05877f975ac3ae262b09e96de3e3dc1b2fbcee6b75fd64deb8ed9de82
Opcode Fuzzy Hash: d246d29cdf8dff98294542e5aa11ff17d8d71a180b02c0de9fedc5728404da5e
Instruction Fuzzy Hash: 3E01D673610311AFEB5826B49C8ABFF72DCAB14758F160422F913E61D1D7A05C8885D0

Function 001D1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001D1276
WSAGetLastError.WSOCK32 ref: 001D1283
bind.WSOCK32(00000000,?,00000010), ref: 001D12BA
WSAGetLastError.WSOCK32 ref: 001D12C5
closesocket.WSOCK32(00000000), ref: 001D12F4
listen.WSOCK32(00000000,00000005), ref: 001D1303
WSAGetLastError.WSOCK32 ref: 001D130D
closesocket.WSOCK32(00000000), ref: 001D133C

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 33eb14acc38c5fa0b4f8b4d93dd902e12cf82fe67d35e261b38bb9d8f45fd821
Instruction ID: 2824b1ddf449cbe5d90ddc281371746f36721b56db1a5eca6484104ad14ef15a
Opcode Fuzzy Hash: 33eb14acc38c5fa0b4f8b4d93dd902e12cf82fe67d35e261b38bb9d8f45fd821
Instruction Fuzzy Hash: 89416E31600240BFD714DF64D9C4B29BBE6AF46318F288189E8568F392C771ED86CBE1

Function 0018B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0018B9D4
_free.LIBCMT ref: 0018B9F8
_free.LIBCMT ref: 0018BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001F3700), ref: 0018BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0022121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0018BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00221270,000000FF,?,0000003F,00000000,?), ref: 0018BC36
_free.LIBCMT ref: 0018BD4B

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 67976a178e3b98c5b7a248e7408fe8c31daf7bfe46ae6a324c2ec6a51fd30686
Instruction ID: 2782d061b71345cf7349bb8c17baa7ebee3de4612e48d0593dbeca3664962830
Opcode Fuzzy Hash: 67976a178e3b98c5b7a248e7408fe8c31daf7bfe46ae6a324c2ec6a51fd30686
Instruction Fuzzy Hash: ABC11671908215AFDB24BF689CD1BAE7BB8EF61310F1442AAE894D7251EB309F41CF50

Function 001BD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00153AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00153A97,?,?,00152E7F,?,?,?,00000000), ref: 00153AC2

Part of subcall function 001BE199: GetFileAttributesW.KERNEL32(?,001BCF95), ref: 001BE19A

FindFirstFileW.KERNEL32(?,?), ref: 001BD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 001BD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 001BD481
FindClose.KERNEL32(00000000), ref: 001BD498
FindClose.KERNEL32(00000000), ref: 001BD4A1

Strings

\*.*, xrefs: 001BD3F2

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 0149f194342dd33c1115827d969cce777fe77bd484e969be630d2f22c8f48617
Instruction ID: 8e1928faaa61526c1fe3562a54a7601e2343824e696ea88b82348d5551492a0a
Opcode Fuzzy Hash: 0149f194342dd33c1115827d969cce777fe77bd484e969be630d2f22c8f48617
Instruction Fuzzy Hash: ED315071008385DBC304EF64D8918EF77E8BEA5315F844A2DF8E597191EB20AA0DC7A3

Function 0018E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0018E645

Strings

1#INF, xrefs: 0018F852
1#SNAN, xrefs: 0018F844
1#IND, xrefs: 0018F83D
1#QNAN, xrefs: 0018F84B

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 93cb1c46b9e5e13d8024ebc4a86ea0e8a6ec144539d1401132164a8017ee99bf
Instruction ID: 0d67b57e32c1b7215673050b53335ccb7e66ec660e97ca35eb17efe3af968a72
Opcode Fuzzy Hash: 93cb1c46b9e5e13d8024ebc4a86ea0e8a6ec144539d1401132164a8017ee99bf
Instruction Fuzzy Hash: E1C22A71E086288FDB29DE28DD447EAB7B5EB49305F1541EAD84DE7240E774AF828F40

Function 001C648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001C64DC
CoInitialize.OLE32(00000000), ref: 001C6639
CoCreateInstance.OLE32(001EFCF8,00000000,00000001,001EFB68,?), ref: 001C6650
CoUninitialize.OLE32 ref: 001C68D4

Strings

.lnk, xrefs: 001C64BA, 001C6524, 001C65E0

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: f269b60f4b412a028ac788b171de0271ba79ac33755ff22e8e12b310379f5315
Instruction ID: 9b8994dd53980e347a7bd9ef2b3789f0887e634f7e7562bfa3f5a9a73bbdb77e
Opcode Fuzzy Hash: f269b60f4b412a028ac788b171de0271ba79ac33755ff22e8e12b310379f5315
Instruction Fuzzy Hash: 5BD13971508301AFC304EF24C881E6BB7E9FFA9705F50496DF9958B291EB70E949CB92

Function 001D22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 001D22E8

Part of subcall function 001CE4EC: GetWindowRect.USER32(?,?), ref: 001CE504

GetDesktopWindow.USER32 ref: 001D2312
GetWindowRect.USER32(00000000), ref: 001D2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 001D2355
GetCursorPos.USER32(?), ref: 001D2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001D23DF

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 5cd8cd006655e815744ceaf1222fa96fc79b3939d7140bbd28bb6d39f21c4568
Instruction ID: f9c07c8710d9d9a2e10f417a60e3b8b817a5220b3e61fe86275b92693d15ae2f
Opcode Fuzzy Hash: 5cd8cd006655e815744ceaf1222fa96fc79b3939d7140bbd28bb6d39f21c4568
Instruction Fuzzy Hash: 9C31CF72504355ABCB20DF54CC45B9BB7E9FF98314F00091AF9959B281DB34E949CBD2

Function 001C9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 001C9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 001C9C8B

Part of subcall function 001C3874: GetInputState.USER32 ref: 001C38CB
Part of subcall function 001C3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001C3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 001C9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 001C9C75

Strings

*.*, xrefs: 001C9B5D

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 8abffcfa6d2883f4cbc07e65b5286961b5821130041000374da561e245b797cd
Instruction ID: bfbe55b58f696b5d16cb5ea3b184bef5cf8e25d0ef12880b6e97f59811b68495
Opcode Fuzzy Hash: 8abffcfa6d2883f4cbc07e65b5286961b5821130041000374da561e245b797cd
Instruction Fuzzy Hash: F7417E7190420AEBCF14DFA4C889FEEBBB4EF25311F204159E815A6191EB31DE85CBA4

Function 0016997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00169A4E
GetSysColor.USER32(0000000F), ref: 00169B23
SetBkColor.GDI32(?,00000000), ref: 00169B36

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 790e4faa0e81b3b50514defcbd69403a941cf8e452adcd6897fb16e8bf2a00ff
Instruction ID: 44a15f85a88c5a92fd172d527e7b4458376fb4b2c2849127a40e9710d6f2890e
Opcode Fuzzy Hash: 790e4faa0e81b3b50514defcbd69403a941cf8e452adcd6897fb16e8bf2a00ff
Instruction Fuzzy Hash: 40A10671208444BFE728AAAD9C9CE7F369DDB53300B16021AF502C76D1CB359E62C672

Function 001D1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001D307A
Part of subcall function 001D304E: _wcslen.LIBCMT ref: 001D309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 001D185D
WSAGetLastError.WSOCK32 ref: 001D1884
bind.WSOCK32(00000000,?,00000010), ref: 001D18DB
WSAGetLastError.WSOCK32 ref: 001D18E6
closesocket.WSOCK32(00000000), ref: 001D1915

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 524c8709c6816e60cba6a91478b6c1d9939614e38fd67cfebc168d441014fad2
Instruction ID: d3abde47b7a8b9bf9dbb6058febb4e778c510e69e17f0cf00898e8a0277756ac
Opcode Fuzzy Hash: 524c8709c6816e60cba6a91478b6c1d9939614e38fd67cfebc168d441014fad2
Instruction Fuzzy Hash: 2351A071A00200AFDB10EF64D886F2A77E5AB58718F48805DF9155F3D3DB71AD428BE1

Function 001E1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 001E1CC0
IsWindowEnabled.USER32 ref: 001E1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 001E1CDB
IsIconic.USER32 ref: 001E1CE9
IsZoomed.USER32 ref: 001E1CF7

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: cd62b24b1574150f08cf27d3471db77dcb6e83ce9aa65ee6c462b426d2a1d687
Instruction ID: 19510b2c76c8a6d85591cca520aef6554ac492868229785db59ea51f18c7b4f8
Opcode Fuzzy Hash: cd62b24b1574150f08cf27d3471db77dcb6e83ce9aa65ee6c462b426d2a1d687
Instruction Fuzzy Hash: E3218231740A916FD7208F1BC894B6E7BA5BF95315B298068E846CB351C771EC82CB90

Function 00158060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0015843C
ERCP, xrefs: 0015813C
VUUU, xrefs: 001583E8
VUUU, xrefs: 001583FA
VUUU, xrefs: 00195DF0

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: a280816d2047eeb631aab91fa2114c35197f7463e651139ff1a3ef53474c07a5
Instruction ID: 537a44b064c303331cce422b7ee4cd13fde73b36ce28a5fc3f9f3a82b083f821
Opcode Fuzzy Hash: a280816d2047eeb631aab91fa2114c35197f7463e651139ff1a3ef53474c07a5
Instruction Fuzzy Hash: 77A28070E0061ACBDF25CF58C9807ADB7B2BF54315F2581A9EC25BB285EB709D85CB50

Function 001B8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001B82AA

Strings

tb!, xrefs: 001B84F4
(, xrefs: 001B82F0
|, xrefs: 001B82DA

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb!$|
API String ID: 1659193697-4054476356
Opcode ID: 33aba86ea8fa958e24c6801b4fa4549d291f672375dc40197b5af3cbf301b3ff
Instruction ID: 7ad4624306908a307f1f2c5d7fae134fb6b9cb67a3fa46e875f93df43a15572f
Opcode Fuzzy Hash: 33aba86ea8fa958e24c6801b4fa4549d291f672375dc40197b5af3cbf301b3ff
Instruction Fuzzy Hash: 02322775A00605DFC728DF59C481AAAB7F4FF48B10B15C56EE49ADB3A1EB70E981CB40

Function 001BAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 001BAAAC
SetKeyboardState.USER32(00000080), ref: 001BAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 001BAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 001BAB88

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f1c9dc47794938a000995dbf99f6b7e781b72d45a494111d35cd1099ae68ba98
Instruction ID: eba3e0e6f83b455b085a864aa64c0a34aea105aa19d058d50d192e65d19810a2
Opcode Fuzzy Hash: f1c9dc47794938a000995dbf99f6b7e781b72d45a494111d35cd1099ae68ba98
Instruction Fuzzy Hash: 58313730A80248AEFF35CB65CD45BFE7BAAAF48310F84421AF5A1961D0D3759D85C7A2

Function 001CCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 001CCE89
GetLastError.KERNEL32(?,00000000), ref: 001CCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 001CCEFE

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: f2bda7f1f5815093911e0c6cde5d56d7d7f2cdbc154b883f0d9a066105f9a64d
Instruction ID: f3dd7ab47a16324c9a616c4d148f51cfdbc35423217bfa8d4b534f5ebc07753e
Opcode Fuzzy Hash: f2bda7f1f5815093911e0c6cde5d56d7d7f2cdbc154b883f0d9a066105f9a64d
Instruction Fuzzy Hash: 3E21BD719003059BD720DFA5C988FAA7BF8EB61314F10841EE64AD6551E770EE45CBA0

Function 001C5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001C5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 001C5D17
FindClose.KERNEL32(?), ref: 001C5D5F

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 47713eb1686de38bcde8413adfb7e1fbca18c452af9b1f83442c19afa072b426
Instruction ID: 3aa5a40e9a81877dfe905de42779a6ed7a94c32b9cc077ea3eb1ae0c3185cb9c
Opcode Fuzzy Hash: 47713eb1686de38bcde8413adfb7e1fbca18c452af9b1f83442c19afa072b426
Instruction Fuzzy Hash: 8D5189346047019FC714CF68C894EAAB7E5FF19314F14855EE96A8B3A2CB30F985CB91

Function 00182622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0018271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00182724
UnhandledExceptionFilter.KERNEL32(?), ref: 00182731

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 87c4ecdf8546e1b95c3ea30659d5f79569a847b4fd813c0876e129ec67fcf48b
Instruction ID: 2e0e93659f5268022adf931b90bcf71c4fe7f2d16c43b9cb06fd36b2f5620cf3
Opcode Fuzzy Hash: 87c4ecdf8546e1b95c3ea30659d5f79569a847b4fd813c0876e129ec67fcf48b
Instruction Fuzzy Hash: D031B474951328ABCB21DF64DC8979DB7B8BF18310F5081EAE81CA7261E7309F818F45

Function 001C51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001C51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001C5238
SetErrorMode.KERNEL32(00000000), ref: 001C52A1

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: e8e668b4601b23c38ce0f574e84d22a172d85f3a5361bcd5f7c4d69853ceca44
Instruction ID: 765cc65b53c6edbaf20f4e4f7ae455fe4d61f71e1ba2a6f387c559e3cbd989ca
Opcode Fuzzy Hash: e8e668b4601b23c38ce0f574e84d22a172d85f3a5361bcd5f7c4d69853ceca44
Instruction Fuzzy Hash: 9A310975A00618DFDB00DF94D884EADBBF5FF59314F048099E805AF2A2DB31E85ACB91

Function 001B16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0016FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00170668
Part of subcall function 0016FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00170685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001B170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001B173A
GetLastError.KERNEL32 ref: 001B174A

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 41161249f765dd4313de5910492e85ce4c9b8424882748dbed0ef3729a353b31
Instruction ID: dc4db161f5a45bd7269fa87509e9129cad179ef4441af2565a9f268150a024c3
Opcode Fuzzy Hash: 41161249f765dd4313de5910492e85ce4c9b8424882748dbed0ef3729a353b31
Instruction Fuzzy Hash: 991191B2404304BFD718AF94ECC6DABB7BDEB45714B21852EF45657681EB70BC428B60

Function 001BD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001BD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 001BD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001BD650

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 72fe3e8a5982f03c42408e34d9e3032dc0a07cb69a7ed1a1128890ebd2fb647c
Instruction ID: 7accb0fec2b4bf41894f3732a82e6eabbd09bab834b209508cd83eb0436649da
Opcode Fuzzy Hash: 72fe3e8a5982f03c42408e34d9e3032dc0a07cb69a7ed1a1128890ebd2fb647c
Instruction Fuzzy Hash: 86113C75E05228BBDB148F95AC85FEFBFBCEB45B50F108115F904E7290D7704A058BA1

Function 001B1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 001B168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001B16A1
FreeSid.ADVAPI32(?), ref: 001B16B1

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: c6644a2e5a34488b4a3a10b85e61d13284a20a88ecec5c5820418322c17872f2
Instruction ID: f0c3502245d358522e38f40fb83de7eb29c0cabb3634b64058d89c4596c47703
Opcode Fuzzy Hash: c6644a2e5a34488b4a3a10b85e61d13284a20a88ecec5c5820418322c17872f2
Instruction Fuzzy Hash: FDF0F475950309FBDB00DFE49C89AAEBBBCFB08704F504565E501E6181E774AA448A90

Function 0018C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0018C36C

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 3d99eddf20e398cf68f501b5538509b71ebcd2f59f290244bf14213dd38aecba
Instruction ID: d3d1ee18ba1b9f84214412e078655f2e0ed3d9bcde84cfab2ddd7157bc629cd6
Opcode Fuzzy Hash: 3d99eddf20e398cf68f501b5538509b71ebcd2f59f290244bf14213dd38aecba
Instruction Fuzzy Hash: 61410876500219ABCB24AFB9DC49EBB7779FB84354F504269F905D7180E7709E818FA0

Function 001AD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 001AD28C

Strings

X64, xrefs: 001AD2A8

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 8d96aa1334d777ada449dcaff991e04b4b3da82e6d1f975c5c6701caa68e7455
Instruction ID: da603a9316b1ca49e03ba00c6a7ae9b626bed7a79e83e9d299d45527a55fb86a
Opcode Fuzzy Hash: 8d96aa1334d777ada449dcaff991e04b4b3da82e6d1f975c5c6701caa68e7455
Instruction Fuzzy Hash: E2D0C9B880111DEACB94DB90ECC8DDEB37CBB04305F110152F506A2000DB3095498F50

Function 0017CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 353e45805d69377230ec44f27d0e511099c3c35a3d332279eba0220d56fcbe14
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 06021B71E002199BDF24CFA9C8906ADFBF1EF58314F25816ED919E7384D731AA418BD4

Function 0015CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#", xrefs: 0015CF7F
Variable is not of type 'Object'., xrefs: 001A0C40

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#"
API String ID: 0-2226386633
Opcode ID: 80d4f0a886b1002a621889c308ff23de8bf8d7f5e5bccd6ebc4b066ca9b66ce5
Instruction ID: e6788ab9e68f919d5ae92f26a5c0e20fefbddc94f7d5f6762ae3879121acd0a4
Opcode Fuzzy Hash: 80d4f0a886b1002a621889c308ff23de8bf8d7f5e5bccd6ebc4b066ca9b66ce5
Instruction Fuzzy Hash: 6B327974900318DFCF19DF94C881AEDB7B5BF1A305F144059E826AF292D775AE49CBA0

Function 001C68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001C6918
FindClose.KERNEL32(00000000), ref: 001C6961

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: aedafde08dcd7b9990856c0ba85b717a0798850d58ce5772da3595ed1b633e8b
Instruction ID: cb8cebed15263defe83a7d9a38091470666a780f663452734b99ad9b7b08e580
Opcode Fuzzy Hash: aedafde08dcd7b9990856c0ba85b717a0798850d58ce5772da3595ed1b633e8b
Instruction Fuzzy Hash: 8311BE316042019FC710CF69D885E1ABBE1EF98329F04C69DE8698F6A2C730EC45CBD0

Function 001C37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,001D4891,?,?,00000035,?), ref: 001C37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,001D4891,?,?,00000035,?), ref: 001C37F4

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 929267a09dca4236884481de27772d90db3929d3b47556769a39ceaa1b5beae0
Instruction ID: 0d806c60f141454299a9fe1ae095506f788598809ec2eb0a897d291245ee0e3b
Opcode Fuzzy Hash: 929267a09dca4236884481de27772d90db3929d3b47556769a39ceaa1b5beae0
Instruction Fuzzy Hash: EFF0E5B16043296AEB2017A68C8DFEB7AAEEFC5761F000165F519D2281DA609944C6F0

Function 001BB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 001BB25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 001BB270

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 16937ffffb7f8227e6ae5d8b96f983665ccdfd3369cf2b1fe3b19ca9929b5d94
Instruction ID: 181517e38a4b2ff027b0b3c224695ee2eec24733d1d80b23ac04a90051dec9d6
Opcode Fuzzy Hash: 16937ffffb7f8227e6ae5d8b96f983665ccdfd3369cf2b1fe3b19ca9929b5d94
Instruction Fuzzy Hash: 6CF01D7190428EABDB059FA1C845BEE7BB4FF04305F008049F965A9191C379D6519F94

Function 001B10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001B11FC), ref: 001B10D4
CloseHandle.KERNEL32(?,?,001B11FC), ref: 001B10E9

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 801da7767a2689a564087f86d7c6d15e486defb5a3a27cf6adde313e7f10f19c
Instruction ID: 226fd330bbba92d0709267fe84b32f6bfd97537d7d80a80ee7159cb8d4d119a5
Opcode Fuzzy Hash: 801da7767a2689a564087f86d7c6d15e486defb5a3a27cf6adde313e7f10f19c
Instruction Fuzzy Hash: 67E04F32004600AEE7252B51FC05EB77BA9FB04310B10882EF4A5844B1DB626CE1DB50

Function 0018676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00186766,?,?,00000008,?,?,0018FEFE,00000000), ref: 00186998

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7efdca6b6de1e8e9f838ceb9e88d152baab41f40cf381180628403ae2db99702
Instruction ID: 9bfe75c222f64e5ec982550b100e19866e543599ca4d78efbf4873f1714a709b
Opcode Fuzzy Hash: 7efdca6b6de1e8e9f838ceb9e88d152baab41f40cf381180628403ae2db99702
Instruction Fuzzy Hash: 7EB13B31610609DFD719DF28C48AB657BE0FF45368F258658E89ACF2A2C735EA91CF40

Function 0016B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 001A851F

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 82aa001afdb5d6f65a5e020ab521dfae21cd02f4d58943eac68545285ed04267
Instruction ID: 313af184affb30cb9f5ea653d44c337edcd3bb2866dcfb1bbdad865218d7e918
Opcode Fuzzy Hash: 82aa001afdb5d6f65a5e020ab521dfae21cd02f4d58943eac68545285ed04267
Instruction Fuzzy Hash: E0124075D042299BDB24CF58C8807EEB7F5FF48710F1581AAE849EB255EB309E91CB90

Function 001CEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 001CEABD

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: bcf00c57f613047c4544b588b4e39f11e078695fea6f1e51366c5ae0b102192a
Instruction ID: 024d7c106a67a6646738c74a8a72d81279c34f3de4f4968b0fd84092d86be4b0
Opcode Fuzzy Hash: bcf00c57f613047c4544b588b4e39f11e078695fea6f1e51366c5ae0b102192a
Instruction Fuzzy Hash: 69E04F312102049FC710EF69D844E9AF7E9AFA8760F00841AFC49CB751DBB0E8458B90

Function 001709D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001703EE), ref: 001709DA

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 802fb7797659b3b728709d5b70caf001c6ae58f0c7cc04cbf027d018100d0a5c
Instruction ID: 154f79b0d7f5f09755330166283a257bd882121cb5ff6d08619dcd53b9fca18e
Opcode Fuzzy Hash: 802fb7797659b3b728709d5b70caf001c6ae58f0c7cc04cbf027d018100d0a5c
Instruction Fuzzy Hash:

Function 0017781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0017798B

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 51a7e498feb8b096793290e993707060369b2d86b0323a33945bddb6f5a2ed3a
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: CF51887164C705ABDF388568C85EBBE63B99B12358F18C919E98EC72C2C711DE41D393

Function 001C2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&", xrefs: 001C2053

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID: 0&"
API String ID: 0-3449093698
Opcode ID: 2627cc5f48510c8a37ac77796b6f6e8dfead87f0c9f1fb73ecefabd65589e713
Instruction ID: cd654b31cc05e0e0be617e21116041658166cab8eb6d2b65d112cb4e55a30b73
Opcode Fuzzy Hash: 2627cc5f48510c8a37ac77796b6f6e8dfead87f0c9f1fb73ecefabd65589e713
Instruction Fuzzy Hash: 4821B7326206119BD728CF79D92367E73E9A764310F15862EE4A7C77D1DE3AE904CB80

Function 00186DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d7abe44138616d7bd2ef4e51195efccc77e87f9baa4961c8739b9fa3a81edc
Instruction ID: 34283e9119d23779ff2c4252e097093873a9d9afd2a2f44c0ba8dc2d5cb560f4
Opcode Fuzzy Hash: 77d7abe44138616d7bd2ef4e51195efccc77e87f9baa4961c8739b9fa3a81edc
Instruction Fuzzy Hash: 4532F321D29F014DD723A634D822335A649AFB73C5F25D737E81AB5DAAEB39C5C38600

Function 0016CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f49192fc4c1b10feb3632740c1fd46f237f3380d41a39de5cbd48247e7256cd
Instruction ID: b2c1d17542a7bec7d5957da00b4372dac64ca418dcf669dc1f19bd9aa3f1f886
Opcode Fuzzy Hash: 6f49192fc4c1b10feb3632740c1fd46f237f3380d41a39de5cbd48247e7256cd
Instruction Fuzzy Hash: 5E32373AA041158BCF28CF6CC8946BD7BA1EF46314F29856AD49ADB391E730DD81DBD0

Function 00157920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534b271eb4b7586dfc940cf85cecd25a27d0698af8d1dff53e7577f79261fbbd
Instruction ID: 9ee16eb595346af47c890bd2842d56c3da12b36eb881c4dd2ae70674a3140bae
Opcode Fuzzy Hash: 534b271eb4b7586dfc940cf85cecd25a27d0698af8d1dff53e7577f79261fbbd
Instruction Fuzzy Hash: CF22C2B0A04609DFDF14CF64D882AAEB7F6FF54301F144529E826EB291EB36AD15CB50

Function 001591C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdec290ce173d4f55d26b91e6481db292ce703f6daa9e155562c47173b777fed
Instruction ID: ce52f3b31a2a47d720de1609251c19317ece2e914cea1ee3e4952525fa969d8d
Opcode Fuzzy Hash: bdec290ce173d4f55d26b91e6481db292ce703f6daa9e155562c47173b777fed
Instruction Fuzzy Hash: C402B6B1E00209EBDF04DF64D881AADBBF5FF54300F118169E816DB291EB31EA65CB95

Function 00189EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd5c29f7e84876c433d9bee6b35e664f3dcce33c76ffdad6d7147caafccac88
Instruction ID: f1287b067714f99d941a7b98e3cd260437632ab916a9f1837bf1089897950f23
Opcode Fuzzy Hash: 8cd5c29f7e84876c433d9bee6b35e664f3dcce33c76ffdad6d7147caafccac88
Instruction Fuzzy Hash: 6DB1D120D2AF414DD62396398835336B65CBFBB6D5F91D71BFC2674D62EB2286C38240

Function 00171C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: b353f8d3a72e557f59149b42d8492c632099f8f23664a6b0ca0e3bffe41ce1c6
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: C59188731080A35ADB2E467E857907EFFF15A923A131A479DD4FACA1C1FF20C954DA20

Function 00171F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 2f5a88cf45f12962adebefe3254c12b56a43252c9d0b9f51007378b19c337009
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: B49156732090A34ADB6D463D847403EFFF15A923A131A879EE4FACA1C5EF34C659D620

Function 001719B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 815156f3c3dd5adc3df66e13d35b1b868088af752db7552e44a448c99f7c8796
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: B99130722090E25ADB2D467E857403DFEF15A923A131A879DD4FACB1C1FF248659D620

Function 00177A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0462ae075220569421503736d0015834fdb0a28793959f49ad4d55881531e2fe
Instruction ID: 7104e99ce7bf15d4157ad1316843741d0bbf4cc2354614b711f26d50d2626b90
Opcode Fuzzy Hash: 0462ae075220569421503736d0015834fdb0a28793959f49ad4d55881531e2fe
Instruction Fuzzy Hash: 48616831748709A6EE38AA288C95BBE23B4DF55700F18C91AE94EDB2C1DB119F42C755

Function 00177CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711debf40cff32ea406a9928e790c72c4170a930c4cb149341a94855b4854f48
Instruction ID: db3063e48f74f371eb1fd36d67097496aded9c63a64ad7b6a5c993431ac33766
Opcode Fuzzy Hash: 711debf40cff32ea406a9928e790c72c4170a930c4cb149341a94855b4854f48
Instruction Fuzzy Hash: B861993124C709A6DE394AE8D855BBF23B4EF52744F10C85AE94ECB2C1EB12DD42C355

Function 00171706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: f633d32736c9c6c9d2fbf2fc55baca527b92d4ba7fe3de46f20a2499283c0b80
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 7D8184336080A319DB6D463E853407EFFF15A923A531A879DD4FACB1C1EF24C659E620

Function 001D2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001D2B30
DeleteObject.GDI32(00000000), ref: 001D2B43
DestroyWindow.USER32 ref: 001D2B52
GetDesktopWindow.USER32 ref: 001D2B6D
GetWindowRect.USER32(00000000), ref: 001D2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 001D2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 001D2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2CF8
GetClientRect.USER32(00000000,?), ref: 001D2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 001D2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2D80
GlobalLock.KERNEL32(00000000), ref: 001D2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2D98
GlobalUnlock.KERNEL32(00000000), ref: 001D2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2DA8
GlobalFree.KERNEL32(00000000), ref: 001D2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,001EFC38,00000000), ref: 001D2DDB
GlobalFree.KERNEL32(00000000), ref: 001D2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 001D2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 001D2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001D303F

Strings

static, xrefs: 001D2D3A, 001D2E91
DISPLAY, xrefs: 001D2EA2
, xrefs: 001D2FC5
AutoIt v3, xrefs: 001D2CF2

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: bdbce7ab3199b405c73918352b6fda58f087aff008c3610c3d916937fcd7f5a4
Instruction ID: 93cb1c733b231ba24f17ad85398abc25f9440797df77b5f07980b71f74e5f624
Opcode Fuzzy Hash: bdbce7ab3199b405c73918352b6fda58f087aff008c3610c3d916937fcd7f5a4
Instruction Fuzzy Hash: C4028D71900205EFDB14DFA4DC89EAE7BB9FF58311F008559F925AB2A1D770AD42CBA0

Function 001E70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 001E712F
GetSysColorBrush.USER32(0000000F), ref: 001E7160
GetSysColor.USER32(0000000F), ref: 001E716C
SetBkColor.GDI32(?,000000FF), ref: 001E7186
SelectObject.GDI32(?,?), ref: 001E7195
InflateRect.USER32(?,000000FF,000000FF), ref: 001E71C0
GetSysColor.USER32(00000010), ref: 001E71C8
CreateSolidBrush.GDI32(00000000), ref: 001E71CF
FrameRect.USER32(?,?,00000000), ref: 001E71DE
DeleteObject.GDI32(00000000), ref: 001E71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 001E7230
FillRect.USER32(?,?,?), ref: 001E7262
GetWindowLongW.USER32(?,000000F0), ref: 001E7284

Part of subcall function 001E73E8: GetSysColor.USER32(00000012), ref: 001E7421
Part of subcall function 001E73E8: SetTextColor.GDI32(?,?), ref: 001E7425
Part of subcall function 001E73E8: GetSysColorBrush.USER32(0000000F), ref: 001E743B
Part of subcall function 001E73E8: GetSysColor.USER32(0000000F), ref: 001E7446
Part of subcall function 001E73E8: GetSysColor.USER32(00000011), ref: 001E7463
Part of subcall function 001E73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 001E7471
Part of subcall function 001E73E8: SelectObject.GDI32(?,00000000), ref: 001E7482
Part of subcall function 001E73E8: SetBkColor.GDI32(?,00000000), ref: 001E748B
Part of subcall function 001E73E8: SelectObject.GDI32(?,?), ref: 001E7498
Part of subcall function 001E73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001E74B7
Part of subcall function 001E73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001E74CE
Part of subcall function 001E73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001E74DB

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 1ef9b6eb84fe35aa4bc8eee23abc51e16a935ebb2f4616c2adf5e76110e17ae0
Instruction ID: a9449cc8ad0ee7238bf51cf2e7250b22b577f3f6b3cbcb47a3b0ae037e9a534a
Opcode Fuzzy Hash: 1ef9b6eb84fe35aa4bc8eee23abc51e16a935ebb2f4616c2adf5e76110e17ae0
Instruction Fuzzy Hash: 15A1B472108741EFD7049FA0DC88E5F7BA9FF49720F100A19FA629A1E1D731D985CB91

Function 00168D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00168E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 001A6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 001A6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 001A6F43

Part of subcall function 00168F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00168BE8,?,00000000,?,?,?,?,00168BBA,00000000,?), ref: 00168FC5

SendMessageW.USER32(?,00001053), ref: 001A6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 001A6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 001A6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 001A6FB7

Strings

0, xrefs: 001A6DCF

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: b01689f40c329f0fde5526cc91832acd6e4d17ac4e1a7ce6dad196f4613f04a0
Instruction ID: 473aac98cc1af3dea423040815ac39ec440190bfae81421ca191733310bfa069
Opcode Fuzzy Hash: b01689f40c329f0fde5526cc91832acd6e4d17ac4e1a7ce6dad196f4613f04a0
Instruction Fuzzy Hash: 7912B038200251EFD725CF54DC98BAAB7E1FB5A310F184569F4858B661CB32ECA2CB91

Function 001D2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 001D273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001D286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001D28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001D28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 001D2900
GetClientRect.USER32(00000000,?), ref: 001D290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 001D2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001D2964
GetStockObject.GDI32(00000011), ref: 001D2974
SelectObject.GDI32(00000000,00000000), ref: 001D2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 001D2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001D2991
DeleteDC.GDI32(00000000), ref: 001D299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001D29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 001D29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 001D2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 001D2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 001D2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 001D2A77
GetStockObject.GDI32(00000011), ref: 001D2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001D2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 001D2A97

Strings

static, xrefs: 001D294F, 001D2A71
DISPLAY, xrefs: 001D295A
msctls_progress32, xrefs: 001D2A13
AutoIt v3, xrefs: 001D28F8

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 1b2810f6353bd85250225cfc6bf5ee3f62afb3181a3601218adaa97e1021ab11
Instruction ID: 17cb5870b8562eb448c83c801850bed6b8b7020c03c95e6f60ef50bff37256ef
Opcode Fuzzy Hash: 1b2810f6353bd85250225cfc6bf5ee3f62afb3181a3601218adaa97e1021ab11
Instruction Fuzzy Hash: 39B14D71A00215BFEB24DFA8DC89FAE7BA9EF18711F004155F925EB290D774AD41CB90

Function 001C4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001C4AED
GetDriveTypeW.KERNEL32(?,001ECB68,?,\\.\,001ECC08), ref: 001C4BCA
SetErrorMode.KERNEL32(00000000,001ECB68,?,\\.\,001ECC08), ref: 001C4D36

Strings

CDROM, xrefs: 001C4BFB
Network, xrefs: 001C4C02
Unknown, xrefs: 001C4BED, 001C4C83
Virtual, xrefs: 001C4CE5
SATA, xrefs: 001C4CD0
ATA, xrefs: 001C4C98
RAMDisk, xrefs: 001C4BF4
iSCSI, xrefs: 001C4CC2
ATAPI, xrefs: 001C4C91
\\.\, xrefs: 001C4B3F
PhysicalDrive, xrefs: 001C4B76
Fibre, xrefs: 001C4CAD
FileBackedVirtual, xrefs: 001C4CEC
1394, xrefs: 001C4C9F
SSA, xrefs: 001C4CA6
USB, xrefs: 001C4CB4
SAS, xrefs: 001C4CC9
RAID, xrefs: 001C4CBB
SCSI, xrefs: 001C4C8A
Fixed, xrefs: 001C4C09
MMC, xrefs: 001C4CDE
SSD, xrefs: 001C4C4A
Removable, xrefs: 001C4C10, 001C4C15

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: e2fb8bd397bdee21bb57ffdd2ec9c572f4d2103c7818c8e65998ec08802c32c1
Instruction ID: bab4435372af537b66c9769d7ea0faaf7a15a1a38088cd0e74721ec1406a7f3f
Opcode Fuzzy Hash: e2fb8bd397bdee21bb57ffdd2ec9c572f4d2103c7818c8e65998ec08802c32c1
Instruction Fuzzy Hash: 0861E430619105DBCB18DF64DAA6FBD77F0AB35300B25401DF806AB6A1DB31ED91DB85

Function 001E73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 001E7421
SetTextColor.GDI32(?,?), ref: 001E7425
GetSysColorBrush.USER32(0000000F), ref: 001E743B
GetSysColor.USER32(0000000F), ref: 001E7446
CreateSolidBrush.GDI32(?), ref: 001E744B
GetSysColor.USER32(00000011), ref: 001E7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 001E7471
SelectObject.GDI32(?,00000000), ref: 001E7482
SetBkColor.GDI32(?,00000000), ref: 001E748B
SelectObject.GDI32(?,?), ref: 001E7498
InflateRect.USER32(?,000000FF,000000FF), ref: 001E74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001E74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 001E74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001E752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 001E7554
InflateRect.USER32(?,000000FD,000000FD), ref: 001E7572
DrawFocusRect.USER32(?,?), ref: 001E757D
GetSysColor.USER32(00000011), ref: 001E758E
SetTextColor.GDI32(?,00000000), ref: 001E7596
DrawTextW.USER32(?,001E70F5,000000FF,?,00000000), ref: 001E75A8
SelectObject.GDI32(?,?), ref: 001E75BF
DeleteObject.GDI32(?), ref: 001E75CA
SelectObject.GDI32(?,?), ref: 001E75D0
DeleteObject.GDI32(?), ref: 001E75D5
SetTextColor.GDI32(?,?), ref: 001E75DB
SetBkColor.GDI32(?,?), ref: 001E75E5

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: d046e1b36f17767b5d16e4a06d64624402c58aa15e7a75bce6c0ab2c79e5442e
Instruction ID: 9e9bfa0b927b88eb5b451ceeb98e7c533c50149b534e23c2c99257dc8bcdc63f
Opcode Fuzzy Hash: d046e1b36f17767b5d16e4a06d64624402c58aa15e7a75bce6c0ab2c79e5442e
Instruction Fuzzy Hash: 3B616B72900658AFEB059FA4DC89EEEBFB9EF08720F114115F911AB2E1D7709981DF90

Function 001E0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001E1128
GetDesktopWindow.USER32 ref: 001E113D
GetWindowRect.USER32(00000000), ref: 001E1144
GetWindowLongW.USER32(?,000000F0), ref: 001E1199
DestroyWindow.USER32(?), ref: 001E11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001E11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001E120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001E121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 001E1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 001E1245
IsWindowVisible.USER32(00000000), ref: 001E12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001E12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001E12D0
GetWindowRect.USER32(00000000,?), ref: 001E12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 001E130E
GetMonitorInfoW.USER32(00000000,?), ref: 001E1328
CopyRect.USER32(?,?), ref: 001E133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 001E13AA

Strings

tooltips_class32, xrefs: 001E11E6
0, xrefs: 001E10D3
(, xrefs: 001E131B

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f399afb9ab7c2b6a135886147c178710555e6e8ac1ec5143bf23919f1a0ab41a
Instruction ID: db30d930097fb3911154dec201ef2e76b74d6876501bfdd7ead7364d144a3d93
Opcode Fuzzy Hash: f399afb9ab7c2b6a135886147c178710555e6e8ac1ec5143bf23919f1a0ab41a
Instruction Fuzzy Hash: E1B17971608781AFDB14DF65C884B6FBBE5FF88350F008918F9999B2A1D731E845CB92

Function 001E0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001E02E5
_wcslen.LIBCMT ref: 001E031F
_wcslen.LIBCMT ref: 001E0389
_wcslen.LIBCMT ref: 001E03F1
_wcslen.LIBCMT ref: 001E0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001E04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001E0504

Part of subcall function 0016F9F2: _wcslen.LIBCMT ref: 0016F9FD

Part of subcall function 001B223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001B2258
Part of subcall function 001B223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001B228A

Strings

DESELECT, xrefs: 001E059C
GETSELECTED, xrefs: 001E05E1
FINDITEM, xrefs: 001E0627
ISSELECTED, xrefs: 001E04DD
SELECTCLEAR, xrefs: 001E052D
GETSELECTEDCOUNT, xrefs: 001E0470, 001E048B
GETSUBITEMCOUNT, xrefs: 001E0384, 001E039F
GETITEMCOUNT, xrefs: 001E0316, 001E0337
SELECTALL, xrefs: 001E0515
SELECTINVERT, xrefs: 001E057E
GETTEXT, xrefs: 001E03EC, 001E0407
VIEWCHANGE, xrefs: 001E0675
SELECT, xrefs: 001E0548

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 422e5891c70774033487f9dd62a0abb47b3f090d928964e18ced979dd056f0ba
Instruction ID: bd43e588c803105df65aca8b15ac5f86d4787dc306c01acb77e9eb34a7afb77f
Opcode Fuzzy Hash: 422e5891c70774033487f9dd62a0abb47b3f090d928964e18ced979dd056f0ba
Instruction Fuzzy Hash: B5E1C1312186818FC719DF29C99096EB3E1BFEC314B14495DF8969B3A1DB70ED85CB81

Function 00168891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00168968
GetSystemMetrics.USER32(00000007), ref: 00168970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0016899B
GetSystemMetrics.USER32(00000008), ref: 001689A3
GetSystemMetrics.USER32(00000004), ref: 001689C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001689E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001689F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00168A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00168A3C
GetClientRect.USER32(00000000,000000FF), ref: 00168A5A
GetStockObject.GDI32(00000011), ref: 00168A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00168A81

Part of subcall function 0016912D: GetCursorPos.USER32(?), ref: 00169141
Part of subcall function 0016912D: ScreenToClient.USER32(00000000,?), ref: 0016915E
Part of subcall function 0016912D: GetAsyncKeyState.USER32(00000001), ref: 00169183
Part of subcall function 0016912D: GetAsyncKeyState.USER32(00000002), ref: 0016919D

SetTimer.USER32(00000000,00000000,00000028,001690FC), ref: 00168AA8

Strings

AutoIt v3 GUI, xrefs: 00168A20

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 4cdb050dc06f7917c6d172ebe8fb2e7cca83af0d26b62d6ac3a3c90f9d510447
Instruction ID: a2672b45cb9fbf618d7c18b9ba919e0908ddd171aa6545aeabe2858f37659a8d
Opcode Fuzzy Hash: 4cdb050dc06f7917c6d172ebe8fb2e7cca83af0d26b62d6ac3a3c90f9d510447
Instruction Fuzzy Hash: 46B19D75A00209AFDB14DFA8DC89FAE7BB5FB48314F154219FA15AB290DB30A851CF51

Function 001B0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001B1114
Part of subcall function 001B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1120
Part of subcall function 001B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B112F
Part of subcall function 001B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1136
Part of subcall function 001B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001B114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001B0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001B0E29
GetLengthSid.ADVAPI32(?), ref: 001B0E40
GetAce.ADVAPI32(?,00000000,?), ref: 001B0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001B0E96
GetLengthSid.ADVAPI32(?), ref: 001B0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001B0EB5
HeapAlloc.KERNEL32(00000000), ref: 001B0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001B0EDD
CopySid.ADVAPI32(00000000), ref: 001B0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001B0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001B0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001B0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0F6E
HeapFree.KERNEL32(00000000), ref: 001B0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0F7E
HeapFree.KERNEL32(00000000), ref: 001B0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B0F8E
HeapFree.KERNEL32(00000000), ref: 001B0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 001B0FA1
HeapFree.KERNEL32(00000000), ref: 001B0FA8

Part of subcall function 001B1193: GetProcessHeap.KERNEL32(00000008,001B0BB1,?,00000000,?,001B0BB1,?), ref: 001B11A1
Part of subcall function 001B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001B0BB1,?), ref: 001B11A8
Part of subcall function 001B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001B0BB1,?), ref: 001B11B7

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 365165600e43cbaca138e706d2db661535369f410b0f9a8ca5d5c62b782e2fcf
Instruction ID: e4dca2856a8dd8ec66b152bc9d0124a020c05f6b5a6599d5e7ad154cd698a19e
Opcode Fuzzy Hash: 365165600e43cbaca138e706d2db661535369f410b0f9a8ca5d5c62b782e2fcf
Instruction Fuzzy Hash: 13713E71A0020AEBDF219FA4DC45FEFBBB8BF09310F148159F919EA191D7719A45CBA0

Function 001DC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001DC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,001ECC08,00000000,?,00000000,?,?), ref: 001DC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 001DC5A4
_wcslen.LIBCMT ref: 001DC5F4
_wcslen.LIBCMT ref: 001DC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 001DC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 001DC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 001DC84D
RegCloseKey.ADVAPI32(?), ref: 001DC881
RegCloseKey.ADVAPI32(00000000), ref: 001DC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 001DC960

Strings

REG_EXPAND_SZ, xrefs: 001DC5CD
REG_MULTI_SZ, xrefs: 001DC6F5
REG_DWORD, xrefs: 001DC804
REG_QWORD, xrefs: 001DC8C3
REG_SZ, xrefs: 001DC644
REG_BINARY, xrefs: 001DC913

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: ef1eaf48035206a13cafc2ffd91891fcfe5d5f6cbbaa40a513e02891fc28b310
Instruction ID: d8912816042648fcee3af71ac8376a4ba1b1e875d11ed8f19c5a5d9af54deae1
Opcode Fuzzy Hash: ef1eaf48035206a13cafc2ffd91891fcfe5d5f6cbbaa40a513e02891fc28b310
Instruction Fuzzy Hash: 6B125635604201DFCB14DF24D881A2AB7E5EF88725F04885DF89A9B3A2DB31ED45CB81

Function 001E091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001E09C6
_wcslen.LIBCMT ref: 001E0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001E0A54
_wcslen.LIBCMT ref: 001E0A8A
_wcslen.LIBCMT ref: 001E0B06
_wcslen.LIBCMT ref: 001E0B81

Part of subcall function 0016F9F2: _wcslen.LIBCMT ref: 0016F9FD

Part of subcall function 001B2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001B2BFA

Strings

GETSELECTED, xrefs: 001E0C4E
GETTOTALCOUNT, xrefs: 001E09F2, 001E0A17
EXISTS, xrefs: 001E0B7C, 001E0B97
UNCHECK, xrefs: 001E0D3E
ISCHECKED, xrefs: 001E0CE1
CHECK, xrefs: 001E0A85, 001E0AA0
COLLAPSE, xrefs: 001E0B01, 001E0B1C
GETITEMCOUNT, xrefs: 001E0C1E
EXPAND, xrefs: 001E0BF8
GETTEXT, xrefs: 001E0C97
SELECT, xrefs: 001E0D11

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 252e72f6885c459ff379819bee2d6aec2075036b8b5cc0b1313d4a0a2d875e10
Instruction ID: 80427f7f087eb66a85ac83602308ddba293a2fa3b0ac98c233842aa4a15e79bb
Opcode Fuzzy Hash: 252e72f6885c459ff379819bee2d6aec2075036b8b5cc0b1313d4a0a2d875e10
Instruction Fuzzy Hash: E8E1CF35208781CFC715DF25C85086EB7E1BFA8318B15895DF8969B3A2D770ED89CB81

Function 001DC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,001DB6AE,?,?), ref: 001DC9B5
_wcslen.LIBCMT ref: 001DC9F1
_wcslen.LIBCMT ref: 001DCA68
_wcslen.LIBCMT ref: 001DCA9E
_wcslen.LIBCMT ref: 001DCAF9
_wcslen.LIBCMT ref: 001DCB2F
_wcslen.LIBCMT ref: 001DCB7F

Strings

HKEY_CURRENT_USER, xrefs: 001DCBBD
HKEY_CLASSES_ROOT, xrefs: 001DCAF3, 001DCAF8
HKCC, xrefs: 001DCBAC
HKCU, xrefs: 001DCBCE
HKEY_USERS, xrefs: 001DCBDF
HKEY_LOCAL_MACHINE, xrefs: 001DCA62, 001DCA67
HKCR, xrefs: 001DCB29, 001DCB2E
HKEY_CURRENT_CONFIG, xrefs: 001DCB79, 001DCB7E
HKU, xrefs: 001DCBF0
HKLM, xrefs: 001DCA98, 001DCA9D

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 20b88b47279353510ec4cf1d1d31a46b78242ebb47bf285d58f9a4c05d1fd41c
Instruction ID: d6245dd430dde039f165571733629b2fe9eb1e58e217e3a2b12c72540eed256d
Opcode Fuzzy Hash: 20b88b47279353510ec4cf1d1d31a46b78242ebb47bf285d58f9a4c05d1fd41c
Instruction Fuzzy Hash: 7A71E23261016B8BCB20DE6CCD515BB33A5ABB4794B150A2AF8669B384F731CD95C3E0

Function 001E833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001E835A
_wcslen.LIBCMT ref: 001E836E
_wcslen.LIBCMT ref: 001E8391
_wcslen.LIBCMT ref: 001E83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001E83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,001E5BF2), ref: 001E844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001E8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001E84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001E8501
FreeLibrary.KERNEL32(?), ref: 001E850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001E851D
DestroyIcon.USER32(?,?,?,?,?,001E5BF2), ref: 001E852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 001E8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 001E8555

Strings

.icl, xrefs: 001E8368
.exe, xrefs: 001E8388
.dll, xrefs: 001E83AB

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: e210cd6324be3034f49bcf58c00d27e57b901f29b9a9821d503ad88d9bf70393
Instruction ID: fc55935db32132765dd03179264695d372ea9979399e8fb44e639ddb7af06e65
Opcode Fuzzy Hash: e210cd6324be3034f49bcf58c00d27e57b901f29b9a9821d503ad88d9bf70393
Instruction Fuzzy Hash: D961DD71500A55BBEB14DF65CC81BBE77A8FF18B11F104609F919EA0D1EF74A990CBA0

Function 00157778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Cannot parse #include, xrefs: 00195279
#ce, xrefs: 001578ED
#notrayicon, xrefs: 001577E7
#requireadmin, xrefs: 001577FF
', xrefs: 00195169
", xrefs: 00195153
#include, xrefs: 00157847
#include-once, xrefs: 0015782F
#pragma compile, xrefs: 001577D3
#comments-end, xrefs: 001578D9
Unterminated group of comments, xrefs: 0019528C
Bad directive syntax error, xrefs: 0019519A
#OnAutoItStartRegister, xrefs: 00157817
#comments-start, xrefs: 0015785F, 001578B1
#cs, xrefs: 00157873, 001578C5

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 8749f821965372b95dea1d9e5a3459fb5fb1628132d1187bc4a610dcd4043fd2
Instruction ID: 7247a3f6008b533b1c2e1aaa10308fff320aa1767db4cc3ed6eb313b38e1e8a2
Opcode Fuzzy Hash: 8749f821965372b95dea1d9e5a3459fb5fb1628132d1187bc4a610dcd4043fd2
Instruction Fuzzy Hash: DC81F371640605EBDB25AF60EC47FAE37A9AF25301F144024FD18AF1D6EB70DA16C7A1

Function 001C3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 001C3EF8
_wcslen.LIBCMT ref: 001C3F03
_wcslen.LIBCMT ref: 001C3F5A
_wcslen.LIBCMT ref: 001C3F98
GetDriveTypeW.KERNEL32(?), ref: 001C3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001C401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001C4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001C4087

Strings

open, xrefs: 001C3F54, 001C3F59
closed, xrefs: 001C3F08, 001C3F2D, 001C3F46, 001C3F7E, 001C3F97
wait, xrefs: 001C4044
type cdaudio alias cd wait, xrefs: 001C4001
close cd wait, xrefs: 001C4072
open , xrefs: 001C3FE5
set cd door , xrefs: 001C4028
close, xrefs: 001C3EFE, 001C3F18

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 2a02ad73e86a19edbf78d0f739cf14832760f2a9ee12e8c050f93c8ae8e6bd07
Instruction ID: 38371ae4ce0eccdd8646e59eb6cb3bad0adf499414161b234ae0a18d525c59c7
Opcode Fuzzy Hash: 2a02ad73e86a19edbf78d0f739cf14832760f2a9ee12e8c050f93c8ae8e6bd07
Instruction Fuzzy Hash: 1571B0326042019FC310DF24C8919AEB7F4EFB4758F50892DF9A59B251EB30DD49CB92

Function 001B5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 001B5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 001B5A40
SetWindowTextW.USER32(?,?), ref: 001B5A57
GetDlgItem.USER32(?,000003EA), ref: 001B5A6C
SetWindowTextW.USER32(00000000,?), ref: 001B5A72
GetDlgItem.USER32(?,000003E9), ref: 001B5A82
SetWindowTextW.USER32(00000000,?), ref: 001B5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 001B5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 001B5AC3
GetWindowRect.USER32(?,?), ref: 001B5ACC
_wcslen.LIBCMT ref: 001B5B33
SetWindowTextW.USER32(?,?), ref: 001B5B6F
GetDesktopWindow.USER32 ref: 001B5B75
GetWindowRect.USER32(00000000), ref: 001B5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 001B5BD3
GetClientRect.USER32(?,?), ref: 001B5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 001B5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 001B5C2F

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: e4da5687edfecad64d0ec3c3a4fa2d26272cdff695b096afeb86de434ca3f5a2
Instruction ID: f1ac7fb0f1c883ce79a91c4ca64db9b0c92fe5a110eaac1490b8a1067f55c896
Opcode Fuzzy Hash: e4da5687edfecad64d0ec3c3a4fa2d26272cdff695b096afeb86de434ca3f5a2
Instruction Fuzzy Hash: 4E716D31900B09AFDB20DFA9CE85BAEBBF6FF48704F104518E542A76A0D775E945CB50

Function 001CFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 001CFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 001CFE32
LoadCursorW.USER32(00000000,00007F00), ref: 001CFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 001CFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 001CFE53
LoadCursorW.USER32(00000000,00007F01), ref: 001CFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 001CFE69
LoadCursorW.USER32(00000000,00007F88), ref: 001CFE74
LoadCursorW.USER32(00000000,00007F80), ref: 001CFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 001CFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 001CFE95
LoadCursorW.USER32(00000000,00007F85), ref: 001CFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 001CFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 001CFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 001CFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 001CFECC
GetCursorInfo.USER32(?), ref: 001CFEDC
GetLastError.KERNEL32 ref: 001CFF1E

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 921c7b0c0518151aaf58f34f0c5bc3a0020e68280784996f3f4e2696f0d4df44
Instruction ID: 2bd156a8d462a121a90638d5bc7ce9e18600bba913d463d2b9fd130ee5969797
Opcode Fuzzy Hash: 921c7b0c0518151aaf58f34f0c5bc3a0020e68280784996f3f4e2696f0d4df44
Instruction Fuzzy Hash: 4C4152B0D04319AADB109FBA8C89D5EBFE9FF04754B50452EE11DEB281DB78E901CE91

Function 001B30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001B318D
_wcslen.LIBCMT ref: 001B31F8

Strings

INSTANCE, xrefs: 001B3453
REGEXPCLASS, xrefs: 001B3255, 001B3266
[!, xrefs: 001B339A
CLASSNN, xrefs: 001B31F3, 001B3204
NAME, xrefs: 001B3335, 001B3346
TEXT, xrefs: 001B347C
CLASS, xrefs: 001B3188, 001B31A5

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[!
API String ID: 176396367-2891400992
Opcode ID: c9babb239876d378d57653d0dd10fbcf10029a962191d244b7042387136036d1
Instruction ID: 341570cc986afb8cc324ff6d4a9055ec64c6e8ee38ae2350151a07c70473d904
Opcode Fuzzy Hash: c9babb239876d378d57653d0dd10fbcf10029a962191d244b7042387136036d1
Instruction Fuzzy Hash: 5FE1F731A00526EBCB289F78C8416EEFBB4BF64714F558159E476E7240DB30AFA9C790

Function 001700C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001700C6

Part of subcall function 001700ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0022070C,00000FA0,29C73466,?,?,?,?,001923B3,000000FF), ref: 0017011C
Part of subcall function 001700ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001923B3,000000FF), ref: 00170127
Part of subcall function 001700ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001923B3,000000FF), ref: 00170138
Part of subcall function 001700ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0017014E
Part of subcall function 001700ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0017015C
Part of subcall function 001700ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0017016A
Part of subcall function 001700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00170195
Part of subcall function 001700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001701A0

___scrt_fastfail.LIBCMT ref: 001700E7

Part of subcall function 001700A3: __onexit.LIBCMT ref: 001700A9

Strings

InitializeConditionVariable, xrefs: 00170148
WakeAllConditionVariable, xrefs: 00170162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00170122
kernel32.dll, xrefs: 00170133
SleepConditionVariableCS, xrefs: 00170154

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 3bbcb1bf2e22a07ec908ea673c29008e07f2816c6265658d8e00a029e88e7184
Instruction ID: e356922bb1980496ccd717467a1baf5552c58520123243afcaa1d9daacac54b2
Opcode Fuzzy Hash: 3bbcb1bf2e22a07ec908ea673c29008e07f2816c6265658d8e00a029e88e7184
Instruction Fuzzy Hash: 9A21F932A44750EBD7226BE4BC89B6E77F4EB0DB61F01813DFC0596691DBB09C418A90

Function 001C44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,001ECC08), ref: 001C4527
_wcslen.LIBCMT ref: 001C453B
_wcslen.LIBCMT ref: 001C4599
_wcslen.LIBCMT ref: 001C45F4
_wcslen.LIBCMT ref: 001C463F
_wcslen.LIBCMT ref: 001C46A7

Part of subcall function 0016F9F2: _wcslen.LIBCMT ref: 0016F9FD

GetDriveTypeW.KERNEL32(?,00216BF0,00000061), ref: 001C4743

Strings

ramdisk, xrefs: 001C46F1
removable, xrefs: 001C45EA, 001C45EF
fixed, xrefs: 001C4635, 001C463A
cdrom, xrefs: 001C458F, 001C4594
network, xrefs: 001C469D, 001C46A2
all, xrefs: 001C4531, 001C4536
unknown, xrefs: 001C4708

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 786217f83316d2d2488c395c19c9af77e7c26d07260b9c40ffb14c9e905a8aca
Instruction ID: aed63cb13965299cfd2ff0b53bc85122b9afc9b19351049dc1e64fd06d21307e
Opcode Fuzzy Hash: 786217f83316d2d2488c395c19c9af77e7c26d07260b9c40ffb14c9e905a8aca
Instruction Fuzzy Hash: 58B1EE3160C3129FC724DF28C8A0E6EB7E5AFB5724F50491DF4A6C7291E730D989CA92

Function 001E911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

DragQueryPoint.SHELL32(?,?), ref: 001E9147

Part of subcall function 001E7674: ClientToScreen.USER32(?,?), ref: 001E769A
Part of subcall function 001E7674: GetWindowRect.USER32(?,?), ref: 001E7710
Part of subcall function 001E7674: PtInRect.USER32(?,?,001E8B89), ref: 001E7720

SendMessageW.USER32(?,000000B0,?,?), ref: 001E91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001E91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001E91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 001E9225
SendMessageW.USER32(?,000000B0,?,?), ref: 001E923E
SendMessageW.USER32(?,000000B1,?,?), ref: 001E9255
SendMessageW.USER32(?,000000B1,?,?), ref: 001E9277
DragFinish.SHELL32(?), ref: 001E927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 001E9371

Strings

@GUI_DROPID, xrefs: 001E929E
@GUI_DRAGID, xrefs: 001E92E9
@GUI_DRAGFILE, xrefs: 001E9320
p#", xrefs: 001E92BB

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#"
API String ID: 221274066-2770955705
Opcode ID: a842275943251ea8e1eae865721eac10eb7c78a8ca96714ad7a0d06066b38838
Instruction ID: 66afaa6a605685e56af0162986c42b66183c84e9430487698f711a4cc01eea3c
Opcode Fuzzy Hash: a842275943251ea8e1eae865721eac10eb7c78a8ca96714ad7a0d06066b38838
Instruction Fuzzy Hash: BA618A71108341AFC701DFA4DC85DAFBBE8EF99750F40091EF9A1961A1DB709A4ACB92

Function 0015326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00221990), ref: 00192F8D
GetMenuItemCount.USER32(00221990), ref: 0019303D
GetCursorPos.USER32(?), ref: 00193081
SetForegroundWindow.USER32(00000000), ref: 0019308A
TrackPopupMenuEx.USER32(00221990,00000000,?,00000000,00000000,00000000), ref: 0019309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001930A9

Strings

0, xrefs: 0015327D

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: f6ad89210c29581ecbc48ab22f662c7c58bb04a327f6fee9645e6b8955ad3fcf
Instruction ID: f82545977a383ce4f6b3b62799d1f15469a782a4ed6e4240c5ea91909b126c7f
Opcode Fuzzy Hash: f6ad89210c29581ecbc48ab22f662c7c58bb04a327f6fee9645e6b8955ad3fcf
Instruction Fuzzy Hash: 65710470644205BEEF258F64CC89FAABF64FF05364F244216F939AA1E0C7B1A954DB90

Function 001E6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 001E6DEB

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 001E6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 001E6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001E6E94
DestroyWindow.USER32(?), ref: 001E6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00150000,00000000), ref: 001E6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001E6EFD
GetDesktopWindow.USER32 ref: 001E6F16
GetWindowRect.USER32(00000000), ref: 001E6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001E6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 001E6F4D

Part of subcall function 00169944: GetWindowLongW.USER32(?,000000EB), ref: 00169952

Strings

tooltips_class32, xrefs: 001E6E58, 001E6EDD
0, xrefs: 001E6D98

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: c1d002fefd6d54685eceda1c8ab1198487b4ae895c87943848e72e03d428e9cb
Instruction ID: eb917520e619384ba7993f3df8a2800c38f0cdcf99eaf7480dad1bf9fb1fb6d5
Opcode Fuzzy Hash: c1d002fefd6d54685eceda1c8ab1198487b4ae895c87943848e72e03d428e9cb
Instruction Fuzzy Hash: 2B718870104684AFDB20CF59DC98EAABBE9FBA9340F84041DF999872A1C770AD46CB51

Function 001CC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001CC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001CC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001CC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 001CC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 001CC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 001CC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001CC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001CC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001CC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001CC5F0
InternetCloseHandle.WININET(00000000), ref: 001CC5FB

Strings

, xrefs: 001CC575

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: d0f0f76b83423dd72d93ddf2fa1c3bedb57acacc4740357d7e79515415217e37
Instruction ID: 57bc27fd7e66794e956fa27ecd59b972446767756cdc8f9238d22c7ca00916d9
Opcode Fuzzy Hash: d0f0f76b83423dd72d93ddf2fa1c3bedb57acacc4740357d7e79515415217e37
Instruction Fuzzy Hash: 1E515CB1600245BFDB218FA4CD88FAB7BBCFB28744F00841DF94996650DB30ED459BA1

Function 001E856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 001E8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001E85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001E85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001E85BA
GlobalLock.KERNEL32(00000000), ref: 001E85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001E85D7
GlobalUnlock.KERNEL32(00000000), ref: 001E85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001E85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001E85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,001EFC38,?), ref: 001E8611
GlobalFree.KERNEL32(00000000), ref: 001E8621
GetObjectW.GDI32(?,00000018,?), ref: 001E8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 001E8671
DeleteObject.GDI32(?), ref: 001E8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001E86AF

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 6e4242230b918421bf117b330e8e8bdfea36f6de314ddba5b61a4f423f712ffc
Instruction ID: 531392b2a654cf94237b56636f7f2ef4b03352c59a4201793c89ade2b9574e06
Opcode Fuzzy Hash: 6e4242230b918421bf117b330e8e8bdfea36f6de314ddba5b61a4f423f712ffc
Instruction Fuzzy Hash: 18411975600285AFDB11DFA5CC88EAEBBB8FF89715F104158F919EB260DB309942DB60

Function 001C14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 001C1502
VariantCopy.OLEAUT32(?,?), ref: 001C150B
VariantClear.OLEAUT32(?), ref: 001C1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001C15FB
VarR8FromDec.OLEAUT32(?,?), ref: 001C1657
VariantInit.OLEAUT32(?), ref: 001C1708
SysFreeString.OLEAUT32(?), ref: 001C178C
VariantClear.OLEAUT32(?), ref: 001C17D8
VariantClear.OLEAUT32(?), ref: 001C17E7
VariantInit.OLEAUT32(00000000), ref: 001C1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 001C1625
Default, xrefs: 001C16AF

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 6edbe6de115b5b106095eba924dcab14363a2173bc2b7253061c9817abcc79ca
Instruction ID: b0af2e6ba45a7b19a998427d4a83240d02c3140056abde2e82de3e0814636c8b
Opcode Fuzzy Hash: 6edbe6de115b5b106095eba924dcab14363a2173bc2b7253061c9817abcc79ca
Instruction Fuzzy Hash: F1D12232A40210EBCB049F64E885F7DB7B1BF67B00F51809EE806AB182DB30EC55DB91

Function 001DB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001DB6AE,?,?), ref: 001DC9B5
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DC9F1
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA68
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001DB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001DB772
RegDeleteValueW.ADVAPI32(?,?), ref: 001DB80A
RegCloseKey.ADVAPI32(?), ref: 001DB87E
RegCloseKey.ADVAPI32(?), ref: 001DB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 001DB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001DB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 001DB922
FreeLibrary.KERNEL32(00000000), ref: 001DB983
RegCloseKey.ADVAPI32(00000000), ref: 001DB994

Strings

advapi32.dll, xrefs: 001DB8ED
RegDeleteKeyExW, xrefs: 001DB8FE

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 0f4a728cbc8a2ee426d097ce7c55b1c0d4b2bdd07961685afdbea9c89a2d4df1
Instruction ID: 41cdf8b803d9a026a25f816a7d21db6a6efdbdd8aff31dec16152f68b0cbb75a
Opcode Fuzzy Hash: 0f4a728cbc8a2ee426d097ce7c55b1c0d4b2bdd07961685afdbea9c89a2d4df1
Instruction Fuzzy Hash: 67C17A34208241EFD714DF24C8D5B2ABBE1BF84318F55855DF8AA4B3A2CB75E846CB91

Function 001D255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001D25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001D25E8
CreateCompatibleDC.GDI32(?), ref: 001D25F4
SelectObject.GDI32(00000000,?), ref: 001D2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 001D266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001D26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001D26D0
SelectObject.GDI32(?,?), ref: 001D26D8
DeleteObject.GDI32(?), ref: 001D26E1
DeleteDC.GDI32(?), ref: 001D26E8
ReleaseDC.USER32(00000000,?), ref: 001D26F3

Strings

(, xrefs: 001D268D

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: fda938544fe5fc45ce8f4fb7b43d4d059bb7f3cb97e344540fc904eaf7a610d7
Instruction ID: 32366ef68d2cb7e2b455021d5073a523e199db7b50ffaf7f8f4b15dac6d7b865
Opcode Fuzzy Hash: fda938544fe5fc45ce8f4fb7b43d4d059bb7f3cb97e344540fc904eaf7a610d7
Instruction Fuzzy Hash: 8F61C1B5D00219EFCB14CFA8DC84AAEBBB6FF58310F20852AE955A7350D774A951CF90

Function 0018DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0018DAA1

Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D659
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D66B
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D67D
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D68F
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6A1
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6B3
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6C5
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6D7
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6E9
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D6FB
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D70D
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D71F
Part of subcall function 0018D63C: _free.LIBCMT ref: 0018D731

_free.LIBCMT ref: 0018DA96

Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0

_free.LIBCMT ref: 0018DAB8
_free.LIBCMT ref: 0018DACD
_free.LIBCMT ref: 0018DAD8
_free.LIBCMT ref: 0018DAFA
_free.LIBCMT ref: 0018DB0D
_free.LIBCMT ref: 0018DB1B
_free.LIBCMT ref: 0018DB26
_free.LIBCMT ref: 0018DB5E
_free.LIBCMT ref: 0018DB65
_free.LIBCMT ref: 0018DB82
_free.LIBCMT ref: 0018DB9A

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: cbc8953d7d4b8dcb9b4ee82a4b2ca2b9f702201be4733a06482567f12a8bd0b8
Instruction ID: 4a91c1c0325c8934cdcf5674f1353731a7c9c8fa52d13f36c735cf8abada8a20
Opcode Fuzzy Hash: cbc8953d7d4b8dcb9b4ee82a4b2ca2b9f702201be4733a06482567f12a8bd0b8
Instruction Fuzzy Hash: F4313731A443059FEB26BA39F845B5AB7E9FF21324F264429E449D7191DF35AE808F20

Function 001B365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 001B369C
_wcslen.LIBCMT ref: 001B36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 001B3797
GetClassNameW.USER32(?,?,00000400), ref: 001B380C
GetDlgCtrlID.USER32(?), ref: 001B385D
GetWindowRect.USER32(?,?), ref: 001B3882
GetParent.USER32(?), ref: 001B38A0
ScreenToClient.USER32(00000000), ref: 001B38A7
GetClassNameW.USER32(?,?,00000100), ref: 001B3921
GetWindowTextW.USER32(?,?,00000400), ref: 001B395D

Strings

%s%u, xrefs: 001B3734

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: c787450e7e13e4d5d7a767ccadc07dc49ecf575722502a244da1af47334fcc6c
Instruction ID: 562c0c7536aecb1dcd698c691e8e14177ee4be895276a20283c89927e1c7e8fe
Opcode Fuzzy Hash: c787450e7e13e4d5d7a767ccadc07dc49ecf575722502a244da1af47334fcc6c
Instruction Fuzzy Hash: 2891D571204706EFD718DF64C885BEAF7A9FF44304F008619F9A9C6190DB30EA66CB91

Function 001B4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 001B4994
GetWindowTextW.USER32(?,?,00000400), ref: 001B49DA
_wcslen.LIBCMT ref: 001B49EB
CharUpperBuffW.USER32(?,00000000), ref: 001B49F7
_wcsstr.LIBVCRUNTIME ref: 001B4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 001B4A64
GetWindowTextW.USER32(?,?,00000400), ref: 001B4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 001B4AE6
GetClassNameW.USER32(?,?,00000400), ref: 001B4B20
GetWindowRect.USER32(?,?), ref: 001B4B8B

Strings

ThumbnailClass, xrefs: 001B4A6F, 001B4AF1

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: d91afb4ae12f5918d7dc65362296f35fddf88aee4794562557d6aefcb9e458de
Instruction ID: cc9497b8ce8579cdc645bca5a38b5642e3ee7f90f4c532047cbef99853791775
Opcode Fuzzy Hash: d91afb4ae12f5918d7dc65362296f35fddf88aee4794562557d6aefcb9e458de
Instruction Fuzzy Hash: E691BE710042059FDB04DF14C981BEA7BE9FF98714F048469FE869A197DB30ED46CBA1

Function 001E8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001E8D5A
GetFocus.USER32 ref: 001E8D6A
GetDlgCtrlID.USER32(00000000), ref: 001E8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 001E8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 001E8ECF
GetMenuItemCount.USER32(?), ref: 001E8EEC
GetMenuItemID.USER32(?,00000000), ref: 001E8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 001E8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 001E8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001E8FA1

Strings

0, xrefs: 001E8E9F

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 573ec5efdd3332be76ba6d0f7b3d30aa580615e1e84a1f597a407b8976cde5bc
Instruction ID: c45843ab794cf28e3ca2c6b20b7e3a98d5764cf698e74d8457b828fa8b649385
Opcode Fuzzy Hash: 573ec5efdd3332be76ba6d0f7b3d30aa580615e1e84a1f597a407b8976cde5bc
Instruction Fuzzy Hash: CC81DE71508781AFDB10CF25DC84AAFBBE9FF98714F040919F99897291DB30D941CBA2

Function 001BBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00221990,000000FF,00000000,00000030), ref: 001BBFAC
SetMenuItemInfoW.USER32(00221990,00000004,00000000,00000030), ref: 001BBFE1
Sleep.KERNEL32(000001F4), ref: 001BBFF3
GetMenuItemCount.USER32(?), ref: 001BC039
GetMenuItemID.USER32(?,00000000), ref: 001BC056
GetMenuItemID.USER32(?,-00000001), ref: 001BC082
GetMenuItemID.USER32(?,?), ref: 001BC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001BC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001BC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001BC145

Strings

0, xrefs: 001BBF3D

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 83b2e05f9579baf1034e6df1932f638d579f277919a619a4b0b90bf5b787f376
Instruction ID: 8d3c596c33066416010e7c6d3c6a2cd3b915fc307e6e7413dd2685db03a8245d
Opcode Fuzzy Hash: 83b2e05f9579baf1034e6df1932f638d579f277919a619a4b0b90bf5b787f376
Instruction Fuzzy Hash: C1618DB0A0024AEFDF15DFA8DC88AFEBBA8EF15344F144059F811A7291C771AD45CBA0

Function 001BDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 001BDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 001BDC46
_wcslen.LIBCMT ref: 001BDC50
_wcsstr.LIBVCRUNTIME ref: 001BDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 001BDCBC

Strings

04090000, xrefs: 001BDCF2
DefaultLangCodepage, xrefs: 001BDD1F
\VarFileInfo\Translation, xrefs: 001BDCB4
StringFileInfo\, xrefs: 001BDC8F
%u.%u.%u.%u, xrefs: 001BDD9A

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 840fb77fa9bb38695f372a0bb8136fea739b83656d01264b839c12486fcaa6b4
Instruction ID: 573a1c7742db07a980083406ea6a4360e2d3673ca6a105ebac4962167a778755
Opcode Fuzzy Hash: 840fb77fa9bb38695f372a0bb8136fea739b83656d01264b839c12486fcaa6b4
Instruction Fuzzy Hash: 00412732940204BBDB08A7B5EC47EFF7BBCEF66750F104069F904A6182FB71991287A5

Function 001DCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001DCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 001DCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001DCD48

Part of subcall function 001DCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001DCCAA
Part of subcall function 001DCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 001DCCBD
Part of subcall function 001DCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001DCCCF
Part of subcall function 001DCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001DCD05
Part of subcall function 001DCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001DCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 001DCCF3

Strings

advapi32.dll, xrefs: 001DCCB8
RegDeleteKeyExW, xrefs: 001DCCC9

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 774cda740f2d10a310b63a88f5e3ba1a871d8827ab1530984c51ba8b3999df5b
Instruction ID: dd7cd1413a60e28c124265ad56957fa8bff1d218fe38e6e5c8bc205270a94f93
Opcode Fuzzy Hash: 774cda740f2d10a310b63a88f5e3ba1a871d8827ab1530984c51ba8b3999df5b
Instruction Fuzzy Hash: BD316F7590112ABBDB208B94DC88EFFBBBDEF55750F000566F905E6240DB349A86DAE0

Function 001C3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001C3D40
_wcslen.LIBCMT ref: 001C3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 001C3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 001C3DBE
RemoveDirectoryW.KERNEL32(?), ref: 001C3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 001C3E55
CloseHandle.KERNEL32(00000000), ref: 001C3E60
CloseHandle.KERNEL32(00000000), ref: 001C3E6B

Strings

\??\%s, xrefs: 001C3D5B
\, xrefs: 001C3D77
:, xrefs: 001C3D82

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 1b95dbfcdd9583b01f9b52e27aae575f69693dfd39ca9e02b1aee5603b0ff9d8
Instruction ID: eb6072a984074663496d2be41e9e7db1a09e8451816bd3f6bf0567997897a170
Opcode Fuzzy Hash: 1b95dbfcdd9583b01f9b52e27aae575f69693dfd39ca9e02b1aee5603b0ff9d8
Instruction Fuzzy Hash: BB31A37190024AABDB209BE0DC89FEF37BDEF99700F5081A9F619D6050EB70D7858B64

Function 001BE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 001BE6B4

Part of subcall function 0016E551: timeGetTime.WINMM(?,?,001BE6D4), ref: 0016E555

Sleep.KERNEL32(0000000A), ref: 001BE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 001BE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 001BE727
SetActiveWindow.USER32 ref: 001BE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001BE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 001BE773
Sleep.KERNEL32(000000FA), ref: 001BE77E
IsWindow.USER32 ref: 001BE78A
EndDialog.USER32(00000000), ref: 001BE79B

Strings

BUTTON, xrefs: 001BE719

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 8d406aad15bd029285a84607ee4b49d85aa534fac1cde1823edbb2ea3edaf226
Instruction ID: a7fe1fcf2dd765c1a3cf34a865e1e397d956cd75ab2c05ca43d3e281d7e7ad1b
Opcode Fuzzy Hash: 8d406aad15bd029285a84607ee4b49d85aa534fac1cde1823edbb2ea3edaf226
Instruction Fuzzy Hash: AE216571600244FFEB205FE0FCCDEBA3BADEB65348F102424F815956B1DB729C568A94

Function 001BE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001BEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001BEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001BEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 001BEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 001BEAA7

Strings

alias PlayMe, xrefs: 001BEA36
play PlayMe, xrefs: 001BEAA2
open , xrefs: 001BEA0C
close PlayMe, xrefs: 001BEA6E, 001BEA9B
play PlayMe wait, xrefs: 001BEA91
status PlayMe mode, xrefs: 001BEA58

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 6466f490cdd02d90104a296621b63d52dbb4a838e671d42eae625ca75735855c
Instruction ID: 02e5f37ec66adec7f56aed0b63ca405075908daf2cbc269bf4993a754cb72b87
Opcode Fuzzy Hash: 6466f490cdd02d90104a296621b63d52dbb4a838e671d42eae625ca75735855c
Instruction Fuzzy Hash: 7E115431A50259BAD710A7A1DC4ADFF6ABCEBE2B44F400429B821A70D1DF701999C5B0

Function 001B5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 001B5CE2
GetWindowRect.USER32(00000000,?), ref: 001B5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 001B5D59
GetDlgItem.USER32(?,00000002), ref: 001B5D69
GetWindowRect.USER32(00000000,?), ref: 001B5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 001B5DCF
GetDlgItem.USER32(?,000003E9), ref: 001B5DDD
GetWindowRect.USER32(00000000,?), ref: 001B5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 001B5E31
GetDlgItem.USER32(?,000003EA), ref: 001B5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 001B5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 001B5E67

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 3eab44d0210ce33abb52f4df6f2e7d4dffaa33dc92893f4b68bf0a59ff076a43
Instruction ID: 1c8e8f26108f1c1af2a3d94489d0627a954006183a796c8e4340b5ea095757eb
Opcode Fuzzy Hash: 3eab44d0210ce33abb52f4df6f2e7d4dffaa33dc92893f4b68bf0a59ff076a43
Instruction Fuzzy Hash: 4C512F70A00605AFDF18CFA8CD89AAEBBB6FB48300F148229F915E6690D7709E41CB50

Function 00168BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00168F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00168BE8,?,00000000,?,?,?,?,00168BBA,00000000,?), ref: 00168FC5

DestroyWindow.USER32(?), ref: 00168C81
KillTimer.USER32(00000000,?,?,?,?,00168BBA,00000000,?), ref: 00168D1B
DestroyAcceleratorTable.USER32(00000000), ref: 001A6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00168BBA,00000000,?), ref: 001A69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00168BBA,00000000,?), ref: 001A69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00168BBA,00000000), ref: 001A69D4
DeleteObject.GDI32(00000000), ref: 001A69E6

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 1ec6eda0ddf23a7c79e96976abe0e8ef65044d5ce10e54a59839f2161630bf14
Instruction ID: 2484baa8373aab9d9dfb2bdb719269d21726a97cca42459797a11b5def6ff1c9
Opcode Fuzzy Hash: 1ec6eda0ddf23a7c79e96976abe0e8ef65044d5ce10e54a59839f2161630bf14
Instruction Fuzzy Hash: 3161AA35502700EFCB359F64DD98B6AB7F1FB65316F145618E0429B960CB31A8E2CBA1

Function 00169838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00169944: GetWindowLongW.USER32(?,000000EB), ref: 00169952

GetSysColor.USER32(0000000F), ref: 00169862

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 1cff851c32d916beb631d83b3fc2ba3dc9246a1ca9c3076d36517eb0d2d4ddf5
Instruction ID: 1217693e04c5ee152832095e56ca4c860b89f30e4fe8b459753f5f3ee5dab72e
Opcode Fuzzy Hash: 1cff851c32d916beb631d83b3fc2ba3dc9246a1ca9c3076d36517eb0d2d4ddf5
Instruction Fuzzy Hash: 23419E31504684EFDB205F789C88BBA3BADAB47330F144619F9A28B1E1D7319D92DB50

Function 001B96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0019F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 001B9717
LoadStringW.USER32(00000000,?,0019F7F8,00000001), ref: 001B9720

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0019F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 001B9742
LoadStringW.USER32(00000000,?,0019F7F8,00000001), ref: 001B9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 001B9866

Strings

^ ERROR, xrefs: 001B97FB
Line %d (File "%s"):, xrefs: 001B978F
%s (%d) : ==> %s: %s %s, xrefs: 001B984A
Line %d:, xrefs: 001B97A0
Error: , xrefs: 001B981D

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 203c470dd0b5dadda985d3462125ac13f861cc82cfcbfbffc6065d69a0495776
Instruction ID: e1f1c025bb7d0780bb62b89cdd62c2d3f49248572ed3d7e59db53190ad649068
Opcode Fuzzy Hash: 203c470dd0b5dadda985d3462125ac13f861cc82cfcbfbffc6065d69a0495776
Instruction Fuzzy Hash: ED413C7280021DEACF14EBE0DD86DEE7779AF25341F500065FA157A092EB356F49CBA1

Function 001B06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001B07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001B07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001B07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 001B0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 001B082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001B0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001B083C

Strings

\IPC$, xrefs: 001B0784
SOFTWARE\Classes\, xrefs: 001B070E
\CLSID, xrefs: 001B0724

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: ce4973bae295c3564bee1d718aa577c969757c4d9d284924b85acdc7af21c940
Instruction ID: 00c5535d042c9921350b5755f4c8305ec752e7450b33a897d962b13103482d21
Opcode Fuzzy Hash: ce4973bae295c3564bee1d718aa577c969757c4d9d284924b85acdc7af21c940
Instruction Fuzzy Hash: 57410772C1022DEBCF15EBA4DC958EEB7B8BF58350B444169F911AB161EB309E48CB90

Function 001D3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001D3C5C
CoInitialize.OLE32(00000000), ref: 001D3C8A
CoUninitialize.OLE32 ref: 001D3C94
_wcslen.LIBCMT ref: 001D3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 001D3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 001D3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 001D3F0E
CoGetObject.OLE32(?,00000000,001EFB98,?), ref: 001D3F2D
SetErrorMode.KERNEL32(00000000), ref: 001D3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001D3FC4
VariantClear.OLEAUT32(?), ref: 001D3FD8

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 55f4faa9a142e70f32f42ebb0e0f52a895ffb4ea349b9a57e24e70a7653eae97
Instruction ID: b3c89a55e26e99e775d534a3ae951f3c15edf3a68ddaa2239f9453e028731bee
Opcode Fuzzy Hash: 55f4faa9a142e70f32f42ebb0e0f52a895ffb4ea349b9a57e24e70a7653eae97
Instruction Fuzzy Hash: 08C133716082059FD700DF68C88496BB7E9FF89748F14491EF99A9B250D730EE46CB92

Function 001C7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001C7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001C7B8F
SHGetDesktopFolder.SHELL32(?), ref: 001C7BA3
CoCreateInstance.OLE32(001EFD08,00000000,00000001,00216E6C,?), ref: 001C7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001C7C74
CoTaskMemFree.OLE32(?,?), ref: 001C7CCC
SHBrowseForFolderW.SHELL32(?), ref: 001C7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001C7D7A
CoTaskMemFree.OLE32(00000000), ref: 001C7D81
CoTaskMemFree.OLE32(00000000), ref: 001C7DD6
CoUninitialize.OLE32 ref: 001C7DDC

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 774ae0d5459793cf5039ade18561f095f4313850caccabb0313ff666afe953ea
Instruction ID: 00f931a8079ca45e1618bee603a9d069ef4387307a83f7f701c2944ccce73a14
Opcode Fuzzy Hash: 774ae0d5459793cf5039ade18561f095f4313850caccabb0313ff666afe953ea
Instruction Fuzzy Hash: 2BC10975A04109EFCB14DFA4C884EAEBBF9FF58304B148499E81A9B661D770EE45CF90

Function 001E541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 001E5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001E5515
CharNextW.USER32(00000158), ref: 001E5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 001E5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001E559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001E55AC

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: d8d359b3c944f9d770401aaac1613ac68531bd924f783580325ee42b7905436c
Instruction ID: 32101e79f093324e8bbafb7bcab77169bfba30422f68549bffd7ee1ed6d92dd6
Opcode Fuzzy Hash: d8d359b3c944f9d770401aaac1613ac68531bd924f783580325ee42b7905436c
Instruction Fuzzy Hash: D1619034900A89EFDF108F96CC84DFE7BBAEF09728F144145F925AB291D7748A81DB61

Function 001AFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 001AFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 001AFB08
VariantInit.OLEAUT32(?), ref: 001AFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 001AFB3A
VariantCopy.OLEAUT32(?,?), ref: 001AFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 001AFBA1
VariantClear.OLEAUT32(?), ref: 001AFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 001AFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001AFBCC
VariantClear.OLEAUT32(?), ref: 001AFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001AFBE9

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 99fd3ee76717eb4a2f2eb8879ddc951686047fa752d5c48f2b3f37f4b27c3b3d
Instruction ID: 4afe7de2c2263cb75fbb847ad64e3d4d71254cd5f565be7edb3790a241e0ad45
Opcode Fuzzy Hash: 99fd3ee76717eb4a2f2eb8879ddc951686047fa752d5c48f2b3f37f4b27c3b3d
Instruction Fuzzy Hash: D5414175A00219DFCB04DFA8DC94DEEBBB9FF59344F008069F955AB661C730A946CBA0

Function 001B9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 001B9CA1
GetAsyncKeyState.USER32(000000A0), ref: 001B9D22
GetKeyState.USER32(000000A0), ref: 001B9D3D
GetAsyncKeyState.USER32(000000A1), ref: 001B9D57
GetKeyState.USER32(000000A1), ref: 001B9D6C
GetAsyncKeyState.USER32(00000011), ref: 001B9D84
GetKeyState.USER32(00000011), ref: 001B9D96
GetAsyncKeyState.USER32(00000012), ref: 001B9DAE
GetKeyState.USER32(00000012), ref: 001B9DC0
GetAsyncKeyState.USER32(0000005B), ref: 001B9DD8
GetKeyState.USER32(0000005B), ref: 001B9DEA

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 91ea4c7d8fdc298655e952c339eae9cb3fcea6364138f5d996f8e2fb97abf660
Instruction ID: a0037fca92a5cdf4cf5dc20a4c4ba3f63520da8c8e2f8bcc027352eb09982a7d
Opcode Fuzzy Hash: 91ea4c7d8fdc298655e952c339eae9cb3fcea6364138f5d996f8e2fb97abf660
Instruction Fuzzy Hash: 4741F8346047CA6DFF3197A1C8443F5BEB06F15344F44805ADBC65A6C2DBA4A9CACBA2

Function 001D055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001D05BC
inet_addr.WSOCK32(?), ref: 001D061C
gethostbyname.WSOCK32(?), ref: 001D0628
IcmpCreateFile.IPHLPAPI ref: 001D0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001D06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001D06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 001D07B9
WSACleanup.WSOCK32 ref: 001D07BF

Strings

Ping, xrefs: 001D0676

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 0fdd11d4b4ebef8dfc2b1a51461349bc0aac8f24c04b0b5506a97a16ef5f4ded
Instruction ID: 58194f9d0007fd674435a1c6157beaeea044071dd070097ae3f2063987b2d907
Opcode Fuzzy Hash: 0fdd11d4b4ebef8dfc2b1a51461349bc0aac8f24c04b0b5506a97a16ef5f4ded
Instruction Fuzzy Hash: F3918D35604241DFD321CF15D888F1ABBE0AF48318F1585AAE8A98F7A2C730ED85CF91

Function 001D8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 001D8CF3

Part of subcall function 001B8E54: _wcslen.LIBCMT ref: 001B8E77

_wcslen.LIBCMT ref: 001D8D4E
_wcslen.LIBCMT ref: 001D8D9C
_wcslen.LIBCMT ref: 001D8DDC
_wcslen.LIBCMT ref: 001D8E6E

Strings

cdecl, xrefs: 001D8D48, 001D8D4D
stdcall, xrefs: 001D8DD6, 001D8DDB
none, xrefs: 001D8E65, 001D8E6A
winapi, xrefs: 001D8D96, 001D8D9B

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 97e319cc1f4d1c63df0c3dc43182b8fd5bd714363d02bb423b07143cc3c0fd47
Instruction ID: 5f0982ae894e8238029aeefaaa77e074638e24d98e989f3428fa7595c8818f0b
Opcode Fuzzy Hash: 97e319cc1f4d1c63df0c3dc43182b8fd5bd714363d02bb423b07143cc3c0fd47
Instruction Fuzzy Hash: 2F518F31A005169BCB14DFACC9519BEB7B6BF64724B21422AE926EB3C5DB31DD40CB90

Function 001D372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 001D3774
CoUninitialize.OLE32 ref: 001D377F
CoCreateInstance.OLE32(?,00000000,00000017,001EFB78,?), ref: 001D37D9
IIDFromString.OLE32(?,?), ref: 001D384C
VariantInit.OLEAUT32(?), ref: 001D38E4
VariantClear.OLEAUT32(?), ref: 001D3936

Strings

Failed to create object, xrefs: 001D37E4, 001D389A
Invalid parameter, xrefs: 001D3865
NULL Pointer assignment, xrefs: 001D381E

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 26a34605ebde82765aea5b88fd4a9beb71e586d2d7afcaf8289edb1ab7af3523
Instruction ID: a01d85e0f76755317210e505bc02e54ef19713a25eea21aaa94ba7c70586d895
Opcode Fuzzy Hash: 26a34605ebde82765aea5b88fd4a9beb71e586d2d7afcaf8289edb1ab7af3523
Instruction Fuzzy Hash: CA61BD71608701AFD311DF54D889FAAB7E4AF59710F00090AF9A59B391D770EE49CB93

Function 001E8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

Part of subcall function 0016912D: GetCursorPos.USER32(?), ref: 00169141
Part of subcall function 0016912D: ScreenToClient.USER32(00000000,?), ref: 0016915E
Part of subcall function 0016912D: GetAsyncKeyState.USER32(00000001), ref: 00169183
Part of subcall function 0016912D: GetAsyncKeyState.USER32(00000002), ref: 0016919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 001E8B6B
ImageList_EndDrag.COMCTL32 ref: 001E8B71
ReleaseCapture.USER32 ref: 001E8B77
SetWindowTextW.USER32(?,00000000), ref: 001E8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001E8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 001E8CFF

Strings

@GUI_DROPID, xrefs: 001E8C51
@GUI_DRAGFILE, xrefs: 001E8C9A
p#", xrefs: 001E8C71

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#"
API String ID: 1924731296-2850516425
Opcode ID: 83900f4ef26ac6a995bd863f1d4e8a31603694b588ee609dd7f9210b636ad538
Instruction ID: 3e0c6a8953a3e9a0e06c11d54fddd6730b40579ecf740f71b3d06bee87feed5c
Opcode Fuzzy Hash: 83900f4ef26ac6a995bd863f1d4e8a31603694b588ee609dd7f9210b636ad538
Instruction Fuzzy Hash: 2B51BA70104340AFD700DF54DC9AFAE77E4FB99714F000629F956AB2E1CB709959CBA2

Function 001C3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001C33CF

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001C33F0

Strings

"%s" (%d) : ==> %s:, xrefs: 001C3522
"%s" (%d) : ==> %s:%s%s, xrefs: 001C3504
Line %d (File "%s"):, xrefs: 001C3443, 001C345C
^ ERROR , xrefs: 001C349E
Incorrect parameters to object property !, xrefs: 001C34AB
Error: , xrefs: 001C34D1

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 9d0e6b5906814e35bb7101453653720f41cd8d1f576ad78a51f99b10e66dcbc3
Instruction ID: 2f3be01a5cb4db2a74959dc6d7d2a698dab39e530f351fa7e56499b1aee0ab2f
Opcode Fuzzy Hash: 9d0e6b5906814e35bb7101453653720f41cd8d1f576ad78a51f99b10e66dcbc3
Instruction Fuzzy Hash: 2E517D32900209EADF14EBE0DD46EEEB3B9AF24341F104065F92576052EB316F99DB61

Function 001BB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001BB5FC
_wcslen.LIBCMT ref: 001BB608
_wcslen.LIBCMT ref: 001BB64D
_wcslen.LIBCMT ref: 001BB68C
_wcslen.LIBCMT ref: 001BB6C7

Strings

REMOVE, xrefs: 001BB602, 001BB607
EXISTS, xrefs: 001BB686, 001BB68B
APPEND, xrefs: 001BB6C1, 001BB6C6
KEYS, xrefs: 001BB647, 001BB64C

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 5e61cc796b8e4d4dd46140f3a79dcc512ff5b9a6e0f3924c92c80154015e6503
Instruction ID: 7d84508857b8142904e97931d9160cb344dc29acd4ebfb873b12cc164c0e5ad0
Opcode Fuzzy Hash: 5e61cc796b8e4d4dd46140f3a79dcc512ff5b9a6e0f3924c92c80154015e6503
Instruction Fuzzy Hash: 2141E532A080269BCB206F7DCCD05FEB7B5AFB0758B254229E425DB684E771CD82C790

Function 001C5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001C53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001C5416
GetLastError.KERNEL32 ref: 001C5420
SetErrorMode.KERNEL32(00000000,READY), ref: 001C54A7

Strings

READY, xrefs: 001C5460, 001C5468
UNKNOWN, xrefs: 001C5444
NOTREADY, xrefs: 001C544B
READONLY, xrefs: 001C5452
INVALID, xrefs: 001C5459

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 96bf70644df40201847325b98e59b23318903a3cf59f32ecd3435cd3864d6435
Instruction ID: 09da3bc0d98dc47d871e7cf9f78152a67f4f57bbabdeb86ccc921b447bb7e0ee
Opcode Fuzzy Hash: 96bf70644df40201847325b98e59b23318903a3cf59f32ecd3435cd3864d6435
Instruction Fuzzy Hash: 84317035A00504DFC718DF68D884FA97BB5EB65305F148059E805CF292EB71EDC6CB91

Function 001E3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 001E3C79
SetMenu.USER32(?,00000000), ref: 001E3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001E3D10
IsMenu.USER32(?), ref: 001E3D24
CreatePopupMenu.USER32 ref: 001E3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001E3D5B
DrawMenuBar.USER32 ref: 001E3D63

Strings

0, xrefs: 001E3C54
F, xrefs: 001E3D4E

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: ae89c32054be88d12ee2ae11e2c5db99d982552d5f3ec11c8b875881c19e8e51
Instruction ID: 18ae5f605ad9eac59235659bf2f7f5eaa3b9ef28176a4dc0ee9ee0b86a5e9bdb
Opcode Fuzzy Hash: ae89c32054be88d12ee2ae11e2c5db99d982552d5f3ec11c8b875881c19e8e51
Instruction Fuzzy Hash: 44417974A01649AFDB14CFA5EC88EAE7BB5FF49310F140029E916AB360D730AA11CF90

Function 001B1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001B3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 001B1F64
GetDlgCtrlID.USER32 ref: 001B1F6F
GetParent.USER32 ref: 001B1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 001B1F8E
GetDlgCtrlID.USER32(?), ref: 001B1F97
GetParent.USER32(?), ref: 001B1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 001B1FAE

Strings

ListBox, xrefs: 001B1F21
ComboBox, xrefs: 001B1EEC

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: d946f6fd9f5236bff5ec66642eb24c2e7f2401d4fd51b6f8be52217a669fda23
Instruction ID: 2598b0d1373d26fc443f973232432081995f111fedf2495d41765fcfb99638b1
Opcode Fuzzy Hash: d946f6fd9f5236bff5ec66642eb24c2e7f2401d4fd51b6f8be52217a669fda23
Instruction Fuzzy Hash: 9C21C274900214FBCF04AFA0DC95DFFBBB9EF19310B500159F961AB291CB345959DBA0

Function 001E3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001E3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001E3AA0
GetWindowLongW.USER32(?,000000F0), ref: 001E3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001E3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001E3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 001E3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 001E3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 001E3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 001E3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 001E3C13

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: a272117b10d27682ed1aae2a90248ca6001dff02e0c67bf8b3ea85c3cb7579b7
Instruction ID: 04b3a16f3d4495431c7aa6e41ade9547e4e6684a0eed5e7b73af732561a361a7
Opcode Fuzzy Hash: a272117b10d27682ed1aae2a90248ca6001dff02e0c67bf8b3ea85c3cb7579b7
Instruction Fuzzy Hash: 22617D75900248AFDB20DFA8CC85EEE77F8EF09700F14419AFA15A72A1C770AE95DB50

Function 001BB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001BB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB165
GetWindowThreadProcessId.USER32(00000000), ref: 001BB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 001BB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,001BA1E1,?,00000001), ref: 001BB21D

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 654c62a27570b78ee19c8b28fabfbcd65993d1b3a5e2c3037fdaaf554e8df0b6
Instruction ID: 2d175b4aff59a45bd72852dfd78aa8648763b920c98e66da49e93ea10a1f8351
Opcode Fuzzy Hash: 654c62a27570b78ee19c8b28fabfbcd65993d1b3a5e2c3037fdaaf554e8df0b6
Instruction Fuzzy Hash: 85318D75604204BFDB20DFA5ECC8FAE7BA9BB55311F104005FA11DA690D7B8AE428FB0

Function 00182C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00182C94

Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0

_free.LIBCMT ref: 00182CA0
_free.LIBCMT ref: 00182CAB
_free.LIBCMT ref: 00182CB6
_free.LIBCMT ref: 00182CC1
_free.LIBCMT ref: 00182CCC
_free.LIBCMT ref: 00182CD7
_free.LIBCMT ref: 00182CE2
_free.LIBCMT ref: 00182CED
_free.LIBCMT ref: 00182CFB

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 95da1c031ee306122840be37cedad6da0b2b5c24fc6b2fc5828e86c81bcf99d8
Instruction ID: 0c113e094b7362c6eeb317cd355b9f83e54567ea10f099f10c4a71faef98aed4
Opcode Fuzzy Hash: 95da1c031ee306122840be37cedad6da0b2b5c24fc6b2fc5828e86c81bcf99d8
Instruction Fuzzy Hash: 0E119076900118AFCB02FF94D982CDD3BA9FF15354F8245A5FA489B222DB35EB509F90

Function 001C7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001C7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 001C7FC1
GetFileAttributesW.KERNEL32(?), ref: 001C7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 001C8005
SetCurrentDirectoryW.KERNEL32(?), ref: 001C8017
SetCurrentDirectoryW.KERNEL32(?), ref: 001C8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001C80B0

Strings

*.*, xrefs: 001C8066

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 6fe8a42e36619df4613b1963c7ba7c68caa64e2cf5fd802dfd1b25f4baba19a9
Instruction ID: 63f228ac712a63086bdaff6c73e5c3d1aac54a86de6cf9e3b6ccae7736f52cfd
Opcode Fuzzy Hash: 6fe8a42e36619df4613b1963c7ba7c68caa64e2cf5fd802dfd1b25f4baba19a9
Instruction Fuzzy Hash: C08180725082459BCB24DF54C884EAEB3E8BBA5310F144C5EF895DB290EB74DD49CB92

Function 00155BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00155C7A

Part of subcall function 00155D0A: GetClientRect.USER32(?,?), ref: 00155D30
Part of subcall function 00155D0A: GetWindowRect.USER32(?,?), ref: 00155D71
Part of subcall function 00155D0A: ScreenToClient.USER32(?,?), ref: 00155D99

GetDC.USER32 ref: 001946F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00194708
SelectObject.GDI32(00000000,00000000), ref: 00194716
SelectObject.GDI32(00000000,00000000), ref: 0019472B
ReleaseDC.USER32(?,00000000), ref: 00194733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001947C4

Strings

U, xrefs: 00194693

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 4709d1af2c0a1db88f00c5d80f646fae261bed71f98ea2bc973abc356df29a41
Instruction ID: 6498488b2e8d0f5ba0a78d6018628a6710811319da89850cd1f0c2fb30ad8ad8
Opcode Fuzzy Hash: 4709d1af2c0a1db88f00c5d80f646fae261bed71f98ea2bc973abc356df29a41
Instruction Fuzzy Hash: 4971E035400209DFCF29CFA4CD84EBA3BB6FF5A365F144269ED655A266C3319882DF60

Function 001C359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001C35E4

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

LoadStringW.USER32(00222390,?,00000FFF,?), ref: 001C360A

Strings

"%s" (%d) : ==> %s:, xrefs: 001C3742
^ ERROR, xrefs: 001C36C9
"%s" (%d) : ==> %s:%s%s, xrefs: 001C3724
Line %d (File "%s"):, xrefs: 001C366B
Error: , xrefs: 001C36EF

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 468ca24d5d2432641f9604b3b3dab55d5257b032a5302de04b206e46e17be89b
Instruction ID: 7853ff7d389bcda5a24bc83ca19cb1c897d87b501431a0cb87e1abdaa31dc9a3
Opcode Fuzzy Hash: 468ca24d5d2432641f9604b3b3dab55d5257b032a5302de04b206e46e17be89b
Instruction Fuzzy Hash: 04518F72800209FACF14EBE0DC46EEEBB75AF24341F144169F525760A1EB315B99DFA1

Function 001CC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001CC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001CC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001CC2CA
GetLastError.KERNEL32 ref: 001CC322
SetEvent.KERNEL32(?), ref: 001CC336
InternetCloseHandle.WININET(00000000), ref: 001CC341

Strings

, xrefs: 001CC2BB

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: a299f9cefe0df17a29c746ef53ee6a913507f031fa5333c2c3f3b005b0f1d451
Instruction ID: f663a7b71e98c8daa85890c1a540bafe6b9a7abfa7ca6c5661b1e4a7fbc249f9
Opcode Fuzzy Hash: a299f9cefe0df17a29c746ef53ee6a913507f031fa5333c2c3f3b005b0f1d451
Instruction Fuzzy Hash: 80319AB1A00248AFD7219FA49C88FAF7BFCFB69740B14851EF44A96601DB30DD458BE1

Function 001B989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00193AAF,?,?,Bad directive syntax error,001ECC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001B98BC
LoadStringW.USER32(00000000,?,00193AAF,?), ref: 001B98C3

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 001B9987

Strings

Line %d (File "%s"):, xrefs: 001B992D
Line %d:, xrefs: 001B9912
., xrefs: 001B996D
Error: , xrefs: 001B9955
%s (%d) : ==> %s.: %s %s, xrefs: 001B98F1

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: a7e18f179cff5b06543278216a804e5208ae76de2d69f84a5d381ad4e6c6c8fc
Instruction ID: 4f2232bbc9713799403ba3055ec96d59f5f482d8336c8012b1ae1e8af6dc32bb
Opcode Fuzzy Hash: a7e18f179cff5b06543278216a804e5208ae76de2d69f84a5d381ad4e6c6c8fc
Instruction Fuzzy Hash: CA21B131C0021EEBCF15AF90CC0AEEE7775FF29305F044469F9256A0A2EB319668DB51

Function 001B209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001B20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 001B20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001B214D

Strings

SHELLDLL_DefView, xrefs: 001B20CC
list, xrefs: 001B212F
largeicons, xrefs: 001B20E1
details, xrefs: 001B20FB
smallicons, xrefs: 001B2115

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 9794a5faadf5d0027b5845e033ed6e04e597a550aa79247c64fcb5bc973b4163
Instruction ID: 5c76f2a68032a52c293b56e7d136ac733978ade2fbf1b443d5b427bb16202958
Opcode Fuzzy Hash: 9794a5faadf5d0027b5845e033ed6e04e597a550aa79247c64fcb5bc973b4163
Instruction Fuzzy Hash: 1A1159B668C316FAF6052224DC07CEB33ECCB25328B204056FB09E50D6FF7568965A54

Function 00188D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166d44584bb2a3a6ae2c315804138d004fc902f27391e7d01e07fc3301890a7c
Instruction ID: 59b25734382bd75dfe965338c452cb5e218d0faaa72605c97b3ccbbd90172988
Opcode Fuzzy Hash: 166d44584bb2a3a6ae2c315804138d004fc902f27391e7d01e07fc3301890a7c
Instruction Fuzzy Hash: 56C1D474904249AFDB21EFE8D845BBDBBB4AF19310F184199F518A7392CB349A42CF61

Function 0018CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0018CEB7
_free.LIBCMT ref: 0018CF22
_free.LIBCMT ref: 0018CF48
_free.LIBCMT ref: 0018CF71
_free.LIBCMT ref: 0018CFA9
_free.LIBCMT ref: 0018CFDA
_free.LIBCMT ref: 0018D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0018D09C
_free.LIBCMT ref: 0018D0B5

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 3c98c0c01e8ab96126cf09d17c0149d01e21dcfcbe47278aada8a34afc7f2f91
Instruction ID: eb05ad79db7cda97b2499ddfc2d2978f60a8ebdad785d0a0874c8060534e4d5e
Opcode Fuzzy Hash: 3c98c0c01e8ab96126cf09d17c0149d01e21dcfcbe47278aada8a34afc7f2f91
Instruction Fuzzy Hash: 3A616971904311AFEF32BFB4A885A6A7BA5EF11310F15416EFA4497282D7319F028FE0

Function 00168B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 001A6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001A68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001A68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001A68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001A68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00168874,00000000,00000000,00000000,000000FF,00000000), ref: 001A6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 001A691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00168874,00000000,00000000,00000000,000000FF,00000000), ref: 001A692D

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: b809d38f7904bdd02e0fd44cc2a41862e0ffb10893d197b789fa7a246a38eeea
Instruction ID: 23563d28ac4f9157639af88e1291395521a0c3b3e5e40ad5a8840b47bc7470ee
Opcode Fuzzy Hash: b809d38f7904bdd02e0fd44cc2a41862e0ffb10893d197b789fa7a246a38eeea
Instruction Fuzzy Hash: 0F5178B4600309EFDB24CF64CC95FAA7BB5FB58750F144618F9129B2A0DB70E9A1DB50

Function 001CC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001CC182
GetLastError.KERNEL32 ref: 001CC195
SetEvent.KERNEL32(?), ref: 001CC1A9

Part of subcall function 001CC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001CC272
Part of subcall function 001CC253: GetLastError.KERNEL32 ref: 001CC322
Part of subcall function 001CC253: SetEvent.KERNEL32(?), ref: 001CC336
Part of subcall function 001CC253: InternetCloseHandle.WININET(00000000), ref: 001CC341

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: d8deb1957c58f06fecd4321a1dbf19ffd959cb8d525f61751e650bf6b2231cdc
Instruction ID: 25cae97be8119d56c23748b4a9aa0add55b2472566ab07a1cd5b4c9dbfc4242b
Opcode Fuzzy Hash: d8deb1957c58f06fecd4321a1dbf19ffd959cb8d525f61751e650bf6b2231cdc
Instruction Fuzzy Hash: BC317A71600645AFDB219FE5DC44F6ABBF9FF28300B04441DF95A86A10D730EC559BE0

Function 001B25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001B3A57
Part of subcall function 001B3A3D: GetCurrentThreadId.KERNEL32 ref: 001B3A5E
Part of subcall function 001B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001B25B3), ref: 001B3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 001B25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001B25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001B25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 001B25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 001B2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 001B2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 001B260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 001B2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 001B2627

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: c65987e5c2d811c1baad515b5560ecf26abb241ecc88b76545e4857b9323a341
Instruction ID: b43eff342e9c73de3b9872ca5f6e660d22253134738b3947eeb015e9637f06dc
Opcode Fuzzy Hash: c65987e5c2d811c1baad515b5560ecf26abb241ecc88b76545e4857b9323a341
Instruction Fuzzy Hash: BA01D830390250BBFB1067A99CCAFD93F59DB5EB12F100011F314AF1D1CAF114858AA9

Function 001B1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,001B1449,?,?,00000000), ref: 001B180C
HeapAlloc.KERNEL32(00000000,?,001B1449,?,?,00000000), ref: 001B1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001B1449,?,?,00000000), ref: 001B1828
GetCurrentProcess.KERNEL32(?,00000000,?,001B1449,?,?,00000000), ref: 001B1830
DuplicateHandle.KERNEL32(00000000,?,001B1449,?,?,00000000), ref: 001B1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001B1449,?,?,00000000), ref: 001B1843
GetCurrentProcess.KERNEL32(001B1449,00000000,?,001B1449,?,?,00000000), ref: 001B184B
DuplicateHandle.KERNEL32(00000000,?,001B1449,?,?,00000000), ref: 001B184E
CreateThread.KERNEL32(00000000,00000000,001B1874,00000000,00000000,00000000), ref: 001B1868

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 77764c59e3e4698007a99c9d2c179cb6a73aba88014122f389d4bd1131be896f
Instruction ID: 5aaefe370039c895dcac839bfbf80743a51b81909f3c5b68d74561d24ab566c4
Opcode Fuzzy Hash: 77764c59e3e4698007a99c9d2c179cb6a73aba88014122f389d4bd1131be896f
Instruction Fuzzy Hash: D301BBB5240348FFE710ABA5DC8DF6B3BACEB89B11F414411FA05DF5A1CA709841CB60

Function 001DA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 001BD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 001BD501
Part of subcall function 001BD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 001BD50F
Part of subcall function 001BD4DC: CloseHandle.KERNELBASE(00000000), ref: 001BD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 001DA16D
GetLastError.KERNEL32 ref: 001DA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 001DA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 001DA268
GetLastError.KERNEL32(00000000), ref: 001DA273
CloseHandle.KERNEL32(00000000), ref: 001DA2C4

Strings

SeDebugPrivilege, xrefs: 001DA18F

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 551806a6e6a2ebbcda9eddd7fccc9274bd082e2753b1caf28609db75d4b058fb
Instruction ID: ec99e688dc56277af0985ba8bf64f683c6444608c4532f39bcc007c735729e7f
Opcode Fuzzy Hash: 551806a6e6a2ebbcda9eddd7fccc9274bd082e2753b1caf28609db75d4b058fb
Instruction Fuzzy Hash: E6618C312042429FD714DF19C894F1ABBE1AF54318F58849DE8668FBA2C772ED49CBD2

Function 001E3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 001E3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 001E393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001E3954
_wcslen.LIBCMT ref: 001E3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 001E39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 001E39F4

Strings

SysListView32, xrefs: 001E38F7

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: a135c13ea51f2964d0751807dc5f4ca7809efabed0c4a4e2975d80a924fa7936
Instruction ID: 9db0d4df2c00c80341ee16081c51dc1334948c9655e67df7deb285624b15314b
Opcode Fuzzy Hash: a135c13ea51f2964d0751807dc5f4ca7809efabed0c4a4e2975d80a924fa7936
Instruction Fuzzy Hash: 1241E371A00658ABEF219FA5CC49FEE7BA9EF18354F100126F958E7281D3719E90CB90

Function 001BBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001BBCFD
IsMenu.USER32(00000000), ref: 001BBD1D
CreatePopupMenu.USER32 ref: 001BBD53
GetMenuItemCount.USER32(01505C88), ref: 001BBDA4
InsertMenuItemW.USER32(01505C88,?,00000001,00000030), ref: 001BBDCC

Strings

2, xrefs: 001BBD37
0, xrefs: 001BBCA8

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 52128056aaac85130923b9c62f084c4e0da1d7efccbd9cc5b6b8c93d01afd0c2
Instruction ID: bb0bc936a68165adbb68e0296196e86f49f71d1afac3797594fbcbf068e24f87
Opcode Fuzzy Hash: 52128056aaac85130923b9c62f084c4e0da1d7efccbd9cc5b6b8c93d01afd0c2
Instruction Fuzzy Hash: CB51BC70A082059BDF20DFE8C8C4BEEBBF4AF55318F148219E4119B690D7B89941CB61

Function 001BC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 001BC913

Strings

warning, xrefs: 001BC8FC
info, xrefs: 001BC8B4
question, xrefs: 001BC8CC
blank, xrefs: 001BC895
stop, xrefs: 001BC8E4

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 2c514eccabfc15adf1696b9e52baa5edfa602c58915372d3cc96f08d92bc6db4
Instruction ID: f98782c61d5c66b75660f51c44c93885ee7c5e7323db40f275ea99c727471dd4
Opcode Fuzzy Hash: 2c514eccabfc15adf1696b9e52baa5edfa602c58915372d3cc96f08d92bc6db4
Instruction Fuzzy Hash: 85112732689307BBB7049B549C83CEE67ECDF66328B20402EF504E61C2E7A05E4152E4

Function 001BDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001BDE42
gethostname.WSOCK32(?,00000100), ref: 001BDE5C
gethostbyname.WSOCK32(?), ref: 001BDE69
inet_ntoa.WSOCK32(?), ref: 001BDEAB
_strcat.LIBCMT ref: 001BDEB9
WSACleanup.WSOCK32 ref: 001BDEDE

Strings

0.0.0.0, xrefs: 001BDE87

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 881a5bcf540d479f90819f174c47602c11071ea202acbbc20c9e9cc36969e86e
Instruction ID: bf29c6a1b8a5b6bb706dbc54f105d5284fb8d8e6e3a6aa3477d1274e07d1fad6
Opcode Fuzzy Hash: 881a5bcf540d479f90819f174c47602c11071ea202acbbc20c9e9cc36969e86e
Instruction Fuzzy Hash: E7112C31904205AFDB28AB64EC4ADDE77BCDF25715F0101A9F5059B091FF71CAC18A90

Function 001BED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 001BED2A
_wcslen.LIBCMT ref: 001BED3B
_wcslen.LIBCMT ref: 001BED79
_wcslen.LIBCMT ref: 001BEDAF
_wcslen.LIBCMT ref: 001BEDDF
_wcslen.LIBCMT ref: 001BEDEF
_wcslen.LIBCMT ref: 001BEE2B
_wcslen.LIBCMT ref: 001BEE5A

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: bfab4b97eef427081d69d092a41d3d82759b8c6cce71aa5053466bf0277e0a68
Instruction ID: 19010e2562ae34a959a41287c8e3916f8784c6c51ea4b9a37a15ce89ceb5bf6a
Opcode Fuzzy Hash: bfab4b97eef427081d69d092a41d3d82759b8c6cce71aa5053466bf0277e0a68
Instruction Fuzzy Hash: 8F41B065D1021876CB11EBF48C8A9CFB7B8AF59310F50C566E618E3122FB34E245C3A6

Function 0016F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,001A682C,00000004,00000000,00000000), ref: 0016F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,001A682C,00000004,00000000,00000000), ref: 001AF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,001A682C,00000004,00000000,00000000), ref: 001AF454

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 7a16cacc49351f64e96d44e49f461ab8a1d69b1c8b16faf67282470e9b96f0fa
Instruction ID: e94ceb3c56ffcf0ba9b214efb9f8b4485fb1dc5b55187ef507d9665cf6d71f23
Opcode Fuzzy Hash: 7a16cacc49351f64e96d44e49f461ab8a1d69b1c8b16faf67282470e9b96f0fa
Instruction Fuzzy Hash: 4A410935608780BAD73D8B69AC8872A7BA2AF5631CF15443CF09756661C731A8D3C751

Function 001E2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001E2D1B
GetDC.USER32(00000000), ref: 001E2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001E2D2E
ReleaseDC.USER32(00000000,00000000), ref: 001E2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001E2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001E2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,001E5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 001E2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001E2DE1

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: a3777eac07b0b9a47bbecdd9593234ed874a199dd105b77f9ad4691d74c1b790
Instruction ID: afb106ebb2db59178556dfafee4bfa6ac45bd29c4be9e90473ad9daad599c3e4
Opcode Fuzzy Hash: a3777eac07b0b9a47bbecdd9593234ed874a199dd105b77f9ad4691d74c1b790
Instruction Fuzzy Hash: C4318B72201694BBEB118F958C8AFEB3BADFB49721F044055FE089E291C6759C81CBA0

Function 001B5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001B5637
_memcmp.LIBVCRUNTIME ref: 001B5659
_memcmp.LIBVCRUNTIME ref: 001B5671
_memcmp.LIBVCRUNTIME ref: 001B5684
_memcmp.LIBVCRUNTIME ref: 001B569E
_memcmp.LIBVCRUNTIME ref: 001B56B1
_memcmp.LIBVCRUNTIME ref: 001B56C9
_memcmp.LIBVCRUNTIME ref: 001B56E4

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c8b9c143c3571e2200eac6c3bafb2ce8a2e75001a987776ff9b8f08d8493fb09
Instruction ID: 682f8180fb140e0e32a4be302102a355d1615436a367aa8c72d12408b50f7651
Opcode Fuzzy Hash: c8b9c143c3571e2200eac6c3bafb2ce8a2e75001a987776ff9b8f08d8493fb09
Instruction Fuzzy Hash: C5219571B40E0977E31857259D82FFE336FAF34398F644024FD099A581FB60EE1182A5

Function 001D4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 001D5007
NULL Pointer assignment, xrefs: 001D502E, 001D5383

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: d54a8c75f8e0c8d6a7d3744647d111d5be6de08642d1b251c2aa446cf6d1831e
Instruction ID: 3560b28db44aeef5e7eabe52e4c8c202c8b89c5d13e623014a1a6dceb9ec4828
Opcode Fuzzy Hash: d54a8c75f8e0c8d6a7d3744647d111d5be6de08642d1b251c2aa446cf6d1831e
Instruction Fuzzy Hash: B0D1A375A0060AAFDF14CF98C881FAEB7B6BF58344F14816AE915AB381D770DD45CB90

Function 00191522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,001917FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 001915CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00191651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,001917FB,?,001917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001916E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001916FB

Part of subcall function 00183820: RtlAllocateHeap.NTDLL(00000000,?,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6,?,00151129), ref: 00183852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,001917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00191777
__freea.LIBCMT ref: 001917A2
__freea.LIBCMT ref: 001917AE

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 5049ad808e388f8e04065e17c1c95628c894ec8347da765511675c85cfeac180
Instruction ID: 810b5fdb06090c8d00c7f64b38a95847b10edb0fcfd4a2fd07fd7a2f8f47280d
Opcode Fuzzy Hash: 5049ad808e388f8e04065e17c1c95628c894ec8347da765511675c85cfeac180
Instruction Fuzzy Hash: 6691C672E00217BAEF258EB4CC81AEE7BB5AF5A710F1A4659E901E7141D735DDC0CBA0

Function 001D4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001D4648
VariantInit.OLEAUT32(?), ref: 001D4749
VariantClear.OLEAUT32(?), ref: 001D4753
VariantClear.OLEAUT32(?), ref: 001D47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 001D472C
Null Object assignment in FOR..IN loop, xrefs: 001D45D8, 001D4706, 001D47BE

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: bae025ba8e0ddc356583f6a8ebc775f4ac7b0b3b80136b7acc50a965922d22b2
Instruction ID: 57a0338dcf22794d1dad4bf5452eefe52044abafc1237a82b094850b477e9130
Opcode Fuzzy Hash: bae025ba8e0ddc356583f6a8ebc775f4ac7b0b3b80136b7acc50a965922d22b2
Instruction Fuzzy Hash: D8919E71A00219ABDF24CFA5DC88FEEBBB8EF56714F10855AF515AB280D7709941CFA0

Function 001C1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 001C125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 001C1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001C12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001C12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001C135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001C13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001C1430

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 921e0cbefb5adac7149d1a894ad38be9f62d63271bd779683035abdc6e61d72e
Instruction ID: 5adb90f8b5bb69ad778708e3e2fd8a1adf3db86139209ecab48879971ab4994a
Opcode Fuzzy Hash: 921e0cbefb5adac7149d1a894ad38be9f62d63271bd779683035abdc6e61d72e
Instruction Fuzzy Hash: A791CE76A40218AFDB059FA4C885FAEB7B5FF66315F204029E910EB292D774E941CB90

Function 0016948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f8768f430eebdfdda10ec9d8c8cfe4aae5b670a84d9c746c21577591209478ba
Instruction ID: ef8d196e12e32cea5d0e1c3bcd1193507a7d2b171d7817dbc55942b3080245ad
Opcode Fuzzy Hash: f8768f430eebdfdda10ec9d8c8cfe4aae5b670a84d9c746c21577591209478ba
Instruction Fuzzy Hash: 6C913975D00219EFCB14CFA9CC84AEEBBB8FF49320F14415AE516B7251D774AA52CBA0

Function 001D3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001D396B
CharUpperBuffW.USER32(?,?), ref: 001D3A7A
_wcslen.LIBCMT ref: 001D3A8A
VariantClear.OLEAUT32(?), ref: 001D3C1F

Part of subcall function 001C0CDF: VariantInit.OLEAUT32(00000000), ref: 001C0D1F
Part of subcall function 001C0CDF: VariantCopy.OLEAUT32(?,?), ref: 001C0D28
Part of subcall function 001C0CDF: VariantClear.OLEAUT32(?), ref: 001C0D34

Strings

AUTOIT.ERROR, xrefs: 001D3A80, 001D3A85
Incorrect Parameter format, xrefs: 001D39A6, 001D3BA1

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 5d30af63a06233fcf2c5405885f3cb769c4738bfc932db06cd6582530efe114f
Instruction ID: d59f9b4b4d00e01cb4ea84a3029495dd67bd2261d3ee5dee213dc65927c66740
Opcode Fuzzy Hash: 5d30af63a06233fcf2c5405885f3cb769c4738bfc932db06cd6582530efe114f
Instruction Fuzzy Hash: 889146756083059FC704DF68C48196AB7E4FF99314F14892EF8A99B351DB30EE4ACB92

Function 001D4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 001B000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?,?,001B035E), ref: 001B002B
Part of subcall function 001B000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?), ref: 001B0046
Part of subcall function 001B000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?), ref: 001B0054
Part of subcall function 001B000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?), ref: 001B0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 001D4C51
_wcslen.LIBCMT ref: 001D4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 001D4DCF
CoTaskMemFree.OLE32(?), ref: 001D4DDA

Strings

NULL Pointer assignment, xrefs: 001D4E23, 001D4E52

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a28cd172c980bb7c2b72dfe04b3e9b985ea876434fb7076bf28810a20e567230
Instruction ID: 497e6a480804c7b526e933b0ee2296550c55920cdd8f40c58cd4bd61804da7a2
Opcode Fuzzy Hash: a28cd172c980bb7c2b72dfe04b3e9b985ea876434fb7076bf28810a20e567230
Instruction Fuzzy Hash: AD912871D0021DEFDF14DFA4D890AEEB7B9BF18300F10856AE915AB251EB349A45CFA0

Function 001E20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 001E2183
GetMenuItemCount.USER32(00000000), ref: 001E21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001E21DD
_wcslen.LIBCMT ref: 001E2213
GetMenuItemID.USER32(?,?), ref: 001E224D
GetSubMenu.USER32(?,?), ref: 001E225B

Part of subcall function 001B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001B3A57
Part of subcall function 001B3A3D: GetCurrentThreadId.KERNEL32 ref: 001B3A5E
Part of subcall function 001B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001B25B3), ref: 001B3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001E22E3

Part of subcall function 001BE97B: Sleep.KERNEL32 ref: 001BE9F3

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: a41a464670236a32cdd729bd34594464989d991f5f3151014ca2e1a72bd4d016
Instruction ID: 6abf312e980f005740193208f491d0deae66b1fa474671bff13df6a85d3f70ab
Opcode Fuzzy Hash: a41a464670236a32cdd729bd34594464989d991f5f3151014ca2e1a72bd4d016
Instruction Fuzzy Hash: 6C71AE35A00645AFCB14DFA5C891AAEB7F9FF88310F158459E916EB341D734AE42CB90

Function 001E7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01505E18), ref: 001E7F37
IsWindowEnabled.USER32(01505E18), ref: 001E7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 001E801E
SendMessageW.USER32(01505E18,000000B0,?,?), ref: 001E8051
IsDlgButtonChecked.USER32(?,?), ref: 001E8089
GetWindowLongW.USER32(01505E18,000000EC), ref: 001E80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 001E80C3

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 1880ba6eab208c07eae9ce929a97bdb9f7cffe61b5dc80ac2902afa0b0a725da
Instruction ID: ff185b5b5b1fa90f811d22d83a4a6d411a4aaa74a8088efb7cf4871b5b729cce
Opcode Fuzzy Hash: 1880ba6eab208c07eae9ce929a97bdb9f7cffe61b5dc80ac2902afa0b0a725da
Instruction Fuzzy Hash: E571BE34608A84AFEF259F56CC84FEE7BB9EF19300F140459F965972A1CB31AC85CB50

Function 001BAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001BAEF9
GetKeyboardState.USER32(?), ref: 001BAF0E
SetKeyboardState.USER32(?), ref: 001BAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 001BAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 001BAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 001BAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 001BB020

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 786c580ce47c0f453a70814c55d2e0c58b5650b15826ce62ce52383e5c87b576
Instruction ID: dac5de2974aca9ccb496804d4b9a7f551d9fde4a4f99d0f320c6b5ec96ce985f
Opcode Fuzzy Hash: 786c580ce47c0f453a70814c55d2e0c58b5650b15826ce62ce52383e5c87b576
Instruction Fuzzy Hash: AF5190A06086D53DFB3652348C85BFBBEA95F06304F088589F1D9958C2D3D9ECC8D751

Function 001BACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 001BAD19
GetKeyboardState.USER32(?), ref: 001BAD2E
SetKeyboardState.USER32(?), ref: 001BAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 001BADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 001BADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001BAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001BAE38

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e489662e0194fa4dc151e090ed9b9a636defc6ab207cb37ed695ea6895ba3db1
Instruction ID: b387c0bd654c96bad5cc1972d8742514232456cafa250787bba7d2ce5f0491fc
Opcode Fuzzy Hash: e489662e0194fa4dc151e090ed9b9a636defc6ab207cb37ed695ea6895ba3db1
Instruction Fuzzy Hash: D751E4A15487D53DFB378374CC95BFABEA96F46300F488588E1D54A8C2D394EC88D7A2

Function 0018542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00193CD6,?,?,?,?,?,?,?,?,00185BA3,?,?,00193CD6,?,?), ref: 00185470
__fassign.LIBCMT ref: 001854EB
__fassign.LIBCMT ref: 00185506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00193CD6,00000005,00000000,00000000), ref: 0018552C
WriteFile.KERNEL32(?,00193CD6,00000000,00185BA3,00000000,?,?,?,?,?,?,?,?,?,00185BA3,?), ref: 0018554B
WriteFile.KERNEL32(?,?,00000001,00185BA3,00000000,?,?,?,?,?,?,?,?,?,00185BA3,?), ref: 00185584

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1d5916ab0e68bb1553ee2df6cfac5778df7a8bc65b6980f6f076bf363dcf3b42
Instruction ID: dbde87495da6e2d9df10f0ebd46500292045b2dffb53d838f70d18f6778a6993
Opcode Fuzzy Hash: 1d5916ab0e68bb1553ee2df6cfac5778df7a8bc65b6980f6f076bf363dcf3b42
Instruction Fuzzy Hash: 87519F71A00649AFDB11DFA8D885AEEBBFAEF09300F14415AF955E7291E7309B41CF60

Function 00172D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00172D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00172D53
_ValidateLocalCookies.LIBCMT ref: 00172DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00172E0C
_ValidateLocalCookies.LIBCMT ref: 00172E61

Strings

csm, xrefs: 00172DF6

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 0557981be209ae9319fdff673b4b2b91529861c63093b03076ed0b93eef9aebd
Instruction ID: 477094b1e5a97a89e4be78ca1f042e6d51c198d0134c82dffcc25e615776d1cc
Opcode Fuzzy Hash: 0557981be209ae9319fdff673b4b2b91529861c63093b03076ed0b93eef9aebd
Instruction Fuzzy Hash: 7741A234E00209ABCF20DFA8C855A9EBBB5BF58324F14C155E91C6B352D731EA42CB91

Function 001D10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001D307A
Part of subcall function 001D304E: _wcslen.LIBCMT ref: 001D309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001D1112
WSAGetLastError.WSOCK32 ref: 001D1121
WSAGetLastError.WSOCK32 ref: 001D11C9
closesocket.WSOCK32(00000000), ref: 001D11F9

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: cf86a321b6baff0bdfecc682bbd388cb8f7aba57d0507fac539f2506e8293487
Instruction ID: 5d46c9ce26849d8d226e5e75222893cc1dfccead930eb3cead6aa1fa482eb0b6
Opcode Fuzzy Hash: cf86a321b6baff0bdfecc682bbd388cb8f7aba57d0507fac539f2506e8293487
Instruction Fuzzy Hash: 9441CE31600214BFDB109F68DC85BAABBAAEF45324F14805AFD159F392C770AD85CBE1

Function 001BCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001BCF22,?), ref: 001BDDFD

Part of subcall function 001BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001BCF22,?), ref: 001BDE16

lstrcmpiW.KERNEL32(?,?), ref: 001BCF45
MoveFileW.KERNEL32(?,?), ref: 001BCF7F
_wcslen.LIBCMT ref: 001BD005
_wcslen.LIBCMT ref: 001BD01B
SHFileOperationW.SHELL32(?), ref: 001BD061

Strings

\*.*, xrefs: 001BCFF3

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 07b6e038156d44a0bfaa710b1aa537ad17ad3965e000988f53cd3c14596d8c86
Instruction ID: 7a6d321314dcc24ece057635c3078f6289e0fde1407336d2bcc319d23819d719
Opcode Fuzzy Hash: 07b6e038156d44a0bfaa710b1aa537ad17ad3965e000988f53cd3c14596d8c86
Instruction Fuzzy Hash: EF4149719452199FDF16EFA4DD81AEE77F9AF18340F1000EAE509EB141EB34A689CB50

Function 001E2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 001E2E1C
GetWindowLongW.USER32(?,000000F0), ref: 001E2E4F
GetWindowLongW.USER32(?,000000F0), ref: 001E2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 001E2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 001E2EE0
GetWindowLongW.USER32(?,000000F0), ref: 001E2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001E2F0B

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: f7137c6276b2d57230518f611f7896d7d5b5296c6f3e617d9a52161d17c3f965
Instruction ID: 43202794b62cd06218753f4d3c693f5e34e20336130b2ecdf1239d843a037169
Opcode Fuzzy Hash: f7137c6276b2d57230518f611f7896d7d5b5296c6f3e617d9a52161d17c3f965
Instruction Fuzzy Hash: 7B3108316046A0AFDB21CF99DC98FA937E9FB5A710F1911A4F9009F2B1CB71AC91DB41

Function 001B7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001B7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001B778F
SysAllocString.OLEAUT32(00000000), ref: 001B7792
SysAllocString.OLEAUT32(?), ref: 001B77B0
SysFreeString.OLEAUT32(?), ref: 001B77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 001B77DE
SysAllocString.OLEAUT32(?), ref: 001B77EC

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d51b8b7c28ef0c91e784c2a8cbf60ff3e078b74d0a301e528b20fc8a286b5570
Instruction ID: cb906dba4ee217f17cb50b36e21795b3167de9c0b65025e98744507b7e5a2b72
Opcode Fuzzy Hash: d51b8b7c28ef0c91e784c2a8cbf60ff3e078b74d0a301e528b20fc8a286b5570
Instruction Fuzzy Hash: E4218E76604259AFDB10EFA8DC88CFB77ACEB49764B148425FA15DB190DB70DC8287A0

Function 001B77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001B7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001B7868
SysAllocString.OLEAUT32(00000000), ref: 001B786B
SysAllocString.OLEAUT32 ref: 001B788C
SysFreeString.OLEAUT32 ref: 001B7895
StringFromGUID2.OLE32(?,?,00000028), ref: 001B78AF
SysAllocString.OLEAUT32(?), ref: 001B78BD

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3ec60504f49a7fdaeb1a4bbb30fe6a59d3df3542526378215875f03ef75bfea5
Instruction ID: f5bbfd388f81a2a7d1f77b45d8f07e63d5060fe6299f6363995339b153d9a049
Opcode Fuzzy Hash: 3ec60504f49a7fdaeb1a4bbb30fe6a59d3df3542526378215875f03ef75bfea5
Instruction Fuzzy Hash: 5C214135608204AFDB109FF8DC88DAA77ECEB497607118125F915CB2E1D774DC82CB64

Function 001C04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001C04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001C052E

Strings

nul, xrefs: 001C0567

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f2b1110ed284eba0a4c570e5795ea07994b71ffdff7ce92f006843478f2dd7c7
Instruction ID: 17f9f21cde42401f42a5918665583ef1816dec9b1ca6d7bf3b88edd325880499
Opcode Fuzzy Hash: f2b1110ed284eba0a4c570e5795ea07994b71ffdff7ce92f006843478f2dd7c7
Instruction Fuzzy Hash: 88218B70500345EFCF218F68DC44F9A7BA4AF69724F204A1CE8A1D62E0D770D981CF60

Function 001C05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001C05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001C0601

Strings

nul, xrefs: 001C0639

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f6686247d817808ab471dd7bd956ee89a994200f721d1f5ca1d488c6ea65df39
Instruction ID: b46ab60be6f027d9cb72d937c48068b8a0203cb22c03c77b3bffcc88db29af56
Opcode Fuzzy Hash: f6686247d817808ab471dd7bd956ee89a994200f721d1f5ca1d488c6ea65df39
Instruction Fuzzy Hash: 56217175500325DBDB219F698C44F9A77E4BFA9720F200A1DE9A1E72D0D770D8A1CB50

Function 001E40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0015600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0015604C
Part of subcall function 0015600E: GetStockObject.GDI32(00000011), ref: 00156060
Part of subcall function 0015600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0015606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001E4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001E411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001E412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001E4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001E4145

Strings

Msctls_Progress32, xrefs: 001E40E3

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 88281d5183de89c9579b2907bcb0cdaf2ec05bac6c18a2bbe1e285c695779c11
Instruction ID: 3af6deb1c6b9e997a32f805ed98ea598e133ac3b3ad986c9a2aa0f468f19b244
Opcode Fuzzy Hash: 88281d5183de89c9579b2907bcb0cdaf2ec05bac6c18a2bbe1e285c695779c11
Instruction Fuzzy Hash: 5311E2B2140219BFEF108FA5CC85EEB7FADEF18798F014110BA18A6190C7729C61DBA0

Function 0018D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0018D7A3: _free.LIBCMT ref: 0018D7CC

_free.LIBCMT ref: 0018D82D

Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0

_free.LIBCMT ref: 0018D838
_free.LIBCMT ref: 0018D843
_free.LIBCMT ref: 0018D897
_free.LIBCMT ref: 0018D8A2
_free.LIBCMT ref: 0018D8AD
_free.LIBCMT ref: 0018D8B8

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 38369d7d34ce96af2da375efbfe2ed07394711bc4936eb74495af0a8db797c9b
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 08112971940B14AAD622BFF0DC46FCB7B9CAF20704F400825F299A60D2DB79A6058B61

Function 001BDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 001BDA74
LoadStringW.USER32(00000000), ref: 001BDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 001BDA91
LoadStringW.USER32(00000000), ref: 001BDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 001BDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 001BDAB9

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: e3c8d6bf6de33e032070eb1b0c6644fb44f5e2ebde7c211be519373dfb529808
Instruction ID: 307d98c1b663cc4adc1a5832b386f99eec24c4ff6b4d9f4371b1c27d420e7ec3
Opcode Fuzzy Hash: e3c8d6bf6de33e032070eb1b0c6644fb44f5e2ebde7c211be519373dfb529808
Instruction Fuzzy Hash: F0014FF6900248BBEB109BE09D89EEB736CEB08301F400491F716E6041E7749EC58BB4

Function 001C096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(014FEB00,014FEB00), ref: 001C097B
EnterCriticalSection.KERNEL32(014FEAE0,00000000), ref: 001C098D
TerminateThread.KERNEL32(?,000001F6), ref: 001C099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 001C09A9
CloseHandle.KERNEL32(?), ref: 001C09B8
InterlockedExchange.KERNEL32(014FEB00,000001F6), ref: 001C09C8
LeaveCriticalSection.KERNEL32(014FEAE0), ref: 001C09CF

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 8c7c595000582326b13e72698e6cbc663c3232aa1937eb027db5723c46413683
Instruction ID: 809dfcb7bcae9916308aae877948b78256cccded7a25d989e805f40c1b95000a
Opcode Fuzzy Hash: 8c7c595000582326b13e72698e6cbc663c3232aa1937eb027db5723c46413683
Instruction Fuzzy Hash: 06F0C932442A52EBD7525BA4EEC9BDABA29BF05706F402025F20298CA1C77595A6CFD0

Function 001D1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 001D1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 001D1DE1
WSAGetLastError.WSOCK32 ref: 001D1DF2
htons.WSOCK32(?,?,?,?,?), ref: 001D1EDB
inet_ntoa.WSOCK32(?), ref: 001D1E8C

Part of subcall function 001B39E8: _strlen.LIBCMT ref: 001B39F2

Part of subcall function 001D3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,001CEC0C), ref: 001D3240

_strlen.LIBCMT ref: 001D1F35

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 175a334c72d7d134f93e57fd36d2a1490c230d69f07a6c9fbe172113696e9670
Instruction ID: 22ba13c66242701280719b596835ef47f5256e867fb9df31ae25e144f0f9cfd0
Opcode Fuzzy Hash: 175a334c72d7d134f93e57fd36d2a1490c230d69f07a6c9fbe172113696e9670
Instruction Fuzzy Hash: F0B1BF31204340BFC324DF64C885E2A7BA5AF94318F54894DF8665F3A2DB71ED4ACB91

Function 00155D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00155D30
GetWindowRect.USER32(?,?), ref: 00155D71
ScreenToClient.USER32(?,?), ref: 00155D99
GetClientRect.USER32(?,?), ref: 00155ED7
GetWindowRect.USER32(?,?), ref: 00155EF8

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: fe950350cae687c8c08077fbb9ef60d3171a77c43c0f18a7684714fc24d76ccc
Instruction ID: 4c766da0461c17d82fafdd4c819ca0270f04f63460b0889441dc47fcffc00df1
Opcode Fuzzy Hash: fe950350cae687c8c08077fbb9ef60d3171a77c43c0f18a7684714fc24d76ccc
Instruction Fuzzy Hash: B7B17B35A0064ADBDF14CFA9C481BEEB7F2FF48311F14851AE8A9DB250D730AA55DB50

Function 001801B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001800BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001800D6
__allrem.LIBCMT ref: 001800ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0018010B
__allrem.LIBCMT ref: 00180122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00180140

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 8eb06c957246371daf8fd1cdcdf86d21b5240b5f5e0fa4e087c60e3c9423260f
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 1D81F672600B0AABE725AE68CC41B6B73F8AF55374F24823EF415D6281EB70DA458F50

Function 001861FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001782D9,001782D9,?,?,?,0018644F,00000001,00000001,8BE85006), ref: 00186258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0018644F,00000001,00000001,8BE85006,?,?,?), ref: 001862DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001863D8
__freea.LIBCMT ref: 001863E5

Part of subcall function 00183820: RtlAllocateHeap.NTDLL(00000000,?,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6,?,00151129), ref: 00183852

__freea.LIBCMT ref: 001863EE
__freea.LIBCMT ref: 00186413

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3b728338001f96fdbd858df7ad3b8e3f30e12f9ea88e87cb2f77bbe62de9dd68
Instruction ID: 1fd19a3a683dd90f9c3194d2452c255ec1e1fcf483ff6df57f1810c5a722df95
Opcode Fuzzy Hash: 3b728338001f96fdbd858df7ad3b8e3f30e12f9ea88e87cb2f77bbe62de9dd68
Instruction Fuzzy Hash: 2A51E372A00216ABEB25AF64DC81EBF77AAEB54710F154669FC09D6140EB34DE40CBA0

Function 001DBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001DB6AE,?,?), ref: 001DC9B5
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DC9F1
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA68
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001DBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001DBD25
RegCloseKey.ADVAPI32(00000000), ref: 001DBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001DBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001DBDF3
RegCloseKey.ADVAPI32(?), ref: 001DBDFF

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 1a1868a87c9b03b5eda2ea4bacc6f4438aa472d4f1a8e86814ae5183edbad2f4
Instruction ID: 42bde17ac3582255cd1b4549f87c6d3955c3115c7d467b7c781cb4737f9ff630
Opcode Fuzzy Hash: 1a1868a87c9b03b5eda2ea4bacc6f4438aa472d4f1a8e86814ae5183edbad2f4
Instruction Fuzzy Hash: 58815830218241EFD714DF64C8D5E2ABBE5BF84308F15895DF45A8B2A2DB31ED49CB92

Function 001AF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 001AF7B9
SysAllocString.OLEAUT32(00000001), ref: 001AF860
VariantCopy.OLEAUT32(001AFA64,00000000), ref: 001AF889
VariantClear.OLEAUT32(001AFA64), ref: 001AF8AD
VariantCopy.OLEAUT32(001AFA64,00000000), ref: 001AF8B1
VariantClear.OLEAUT32(?), ref: 001AF8BB

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: fb230199f9239bab9506fc33bce02f669c2af21c4ce9a9633f6695a316a5faba
Instruction ID: f1f7d82d9ffd6fe9d8fbcbf07cba01a9535c2d1ee1c0cf9bb178335d808c3762
Opcode Fuzzy Hash: fb230199f9239bab9506fc33bce02f669c2af21c4ce9a9633f6695a316a5faba
Instruction Fuzzy Hash: EC51E639600310FACF24AFE5D895B2AB3A4EF56314F24846EF805DF292DB708C46C796

Function 001C910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00157620: _wcslen.LIBCMT ref: 00157625

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 001C94E5
_wcslen.LIBCMT ref: 001C9506
_wcslen.LIBCMT ref: 001C952D
GetSaveFileNameW.COMDLG32(00000058), ref: 001C9585

Strings

X, xrefs: 001C9412

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 0dc5ff14deca274ea14e5b054fb03f940ea7fa1124e8ee6dbfd4ed785273fa03
Instruction ID: 37d7729b8ed6b7631e48bcc52184e210e9ec09c6ecc407711d5054586c10c067
Opcode Fuzzy Hash: 0dc5ff14deca274ea14e5b054fb03f940ea7fa1124e8ee6dbfd4ed785273fa03
Instruction Fuzzy Hash: 78E17D31608340CFD724DF24D885F6AB7E4BFA5314F04896DE8999B2A2DB31ED05CB92

Function 0016920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

BeginPaint.USER32(?,?,?), ref: 00169241
GetWindowRect.USER32(?,?), ref: 001692A5
ScreenToClient.USER32(?,?), ref: 001692C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001692D3
EndPaint.USER32(?,?,?,?,?), ref: 00169321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001A71EA

Part of subcall function 00169339: BeginPath.GDI32(00000000), ref: 00169357

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: ac00d48b234ae191ff4e56c95280cddfd7c12fccb12e865502c1375fbe6f4afd
Instruction ID: e3f17082091fab33466ab6a96b2a2e448dee293f57cc5e4513a5d86994d9b1a0
Opcode Fuzzy Hash: ac00d48b234ae191ff4e56c95280cddfd7c12fccb12e865502c1375fbe6f4afd
Instruction Fuzzy Hash: 16419C70104340AFD721DF64DC98FBA7BF8EF6A320F040629F9958A2E1C7309996DB61

Function 001C07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 001C080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 001C0847
EnterCriticalSection.KERNEL32(?), ref: 001C0863
LeaveCriticalSection.KERNEL32(?), ref: 001C08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001C08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 001C0921

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: c95eec2bb320753f64ce56bd0522d2cae6dee7931530abb5b7ab31883030229e
Instruction ID: 40eefa7bc225ed5c3c96a4aef5b264e3deb351253f720c211d7a5a8b59bb16a6
Opcode Fuzzy Hash: c95eec2bb320753f64ce56bd0522d2cae6dee7931530abb5b7ab31883030229e
Instruction Fuzzy Hash: 5C415971900205EFDF15DF94DC85AAA7B78FF18304F1480A9ED049E296DB31DE61DBA0

Function 001E81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,001AF3AB,00000000,?,?,00000000,?,001A682C,00000004,00000000,00000000), ref: 001E824C
EnableWindow.USER32(?,00000000), ref: 001E8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 001E82D1
ShowWindow.USER32(?,00000004), ref: 001E82E5
EnableWindow.USER32(?,00000001), ref: 001E830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 001E832F

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 5f6f30066f2ed0836497ab1acaa18070f89960b560cc21f93387ad9b6bf64ce7
Instruction ID: cca08732221f6631991a18f305139e08a607bd0108c0290c16858dab09530b92
Opcode Fuzzy Hash: 5f6f30066f2ed0836497ab1acaa18070f89960b560cc21f93387ad9b6bf64ce7
Instruction Fuzzy Hash: 8741B730601A85AFDB25CF56DC99FEC7BF1BB0A714F185165E60C5F262C7329892CB50

Function 001B4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 001B4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001B4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 001B4CEA
_wcslen.LIBCMT ref: 001B4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 001B4D10
_wcsstr.LIBVCRUNTIME ref: 001B4D1A

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: e72863eea620e513b3695604571894bdb9ee3dbc600237e3c358b69a51558db2
Instruction ID: 742ff14f090db849000eaef8a71943afa85fa0da5945b6a5960d49622edf07c3
Opcode Fuzzy Hash: e72863eea620e513b3695604571894bdb9ee3dbc600237e3c358b69a51558db2
Instruction Fuzzy Hash: F821D7726042407BEB155B69AC49EBF7FA8DF59750F11C02DF805CA192DB61DC4196A0

Function 001C581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00153AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00153A97,?,?,00152E7F,?,?,?,00000000), ref: 00153AC2

_wcslen.LIBCMT ref: 001C587B
CoInitialize.OLE32(00000000), ref: 001C5995
CoCreateInstance.OLE32(001EFCF8,00000000,00000001,001EFB68,?), ref: 001C59AE
CoUninitialize.OLE32 ref: 001C59CC

Strings

.lnk, xrefs: 001C5876, 001C58C1, 001C5985

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 63a2ac4eb045eee8d551f8bc96e8d1394cddc385fe33bbe81a88d39b485360d8
Instruction ID: d60a67b7bd19b24fd414f12727999b67ecb328df10f6bf7501a01f0b5f8f4a22
Opcode Fuzzy Hash: 63a2ac4eb045eee8d551f8bc96e8d1394cddc385fe33bbe81a88d39b485360d8
Instruction Fuzzy Hash: BFD15370608601DFC714DF25C480E2ABBE2EFA9714F14895DF8999B261DB31EC85CB92

Function 001B175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001B0FCA
Part of subcall function 001B0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001B0FD6
Part of subcall function 001B0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001B0FE5
Part of subcall function 001B0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001B0FEC
Part of subcall function 001B0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001B1002

GetLengthSid.ADVAPI32(?,00000000,001B1335), ref: 001B17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001B17BA
HeapAlloc.KERNEL32(00000000), ref: 001B17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 001B17DA
GetProcessHeap.KERNEL32(00000000,00000000,001B1335), ref: 001B17EE
HeapFree.KERNEL32(00000000), ref: 001B17F5

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: d529cdcaea8919bbba34e8a3e708cb6df7df20d351e1be0a536e471bcb4253ca
Instruction ID: 9bdba7d5ed79effe2f19decd985b90da71ac4154b65a8dae48d3fded57f53bca
Opcode Fuzzy Hash: d529cdcaea8919bbba34e8a3e708cb6df7df20d351e1be0a536e471bcb4253ca
Instruction Fuzzy Hash: 63118E32610205FFDB14DFA4CC99BEF7BA9EB46355F514018F8419B210DB35A985CBA0

Function 001B14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001B14FF
OpenProcessToken.ADVAPI32(00000000), ref: 001B1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 001B1515
CloseHandle.KERNEL32(00000004), ref: 001B1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001B154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 001B1563

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 13078e0fb678091ec4689d2016869440b71f2c6a7601e65975d610e4f2c178bf
Instruction ID: 9fd0c342ae758b208084461b0f4f77411ebec2354e7fd8ba1775e9e794bc42df
Opcode Fuzzy Hash: 13078e0fb678091ec4689d2016869440b71f2c6a7601e65975d610e4f2c178bf
Instruction Fuzzy Hash: 6C111472504249BBDB11CFA8ED89BDE7BA9EB49744F054025FA05A6060C3758EA19BA0

Function 00173382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00173379,00172FE5), ref: 00173390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0017339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001733B7
SetLastError.KERNEL32(00000000,?,00173379,00172FE5), ref: 00173409

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ce28ffcca3183d2709f9e89b09cca75a7e7d4c4b738ce84bf11896388d7c7032
Instruction ID: 89c7aa992c07e4f2d5d8f5472a7b7dc0ee6c9981b0f26c1bfde835c32abed7be
Opcode Fuzzy Hash: ce28ffcca3183d2709f9e89b09cca75a7e7d4c4b738ce84bf11896388d7c7032
Instruction Fuzzy Hash: 5E01FC33649311BFA62927B57CC95A72A75FB29379730C229F538851F0EF114E017654

Function 00182D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00185686,00193CD6,?,00000000,?,00185B6A,?,?,?,?,?,0017E6D1,?,00218A48), ref: 00182D78
_free.LIBCMT ref: 00182DAB
_free.LIBCMT ref: 00182DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0017E6D1,?,00218A48,00000010,00154F4A,?,?,00000000,00193CD6), ref: 00182DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0017E6D1,?,00218A48,00000010,00154F4A,?,?,00000000,00193CD6), ref: 00182DEC
_abort.LIBCMT ref: 00182DF2

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 732914827ea0b020e70616f0097c1712b017bfc59f0676c7a5c677014eec9bed
Instruction ID: 06ce1f5bb1f56df62892971ed08033989545e869672a7a90e9e54b7da99d5976
Opcode Fuzzy Hash: 732914827ea0b020e70616f0097c1712b017bfc59f0676c7a5c677014eec9bed
Instruction Fuzzy Hash: 79F0C83664561037C61337B8BC0AE5F295ABFE27A1F254618F824972D2EF349B425F60

Function 001E8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00169639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00169693
Part of subcall function 00169639: SelectObject.GDI32(?,00000000), ref: 001696A2
Part of subcall function 00169639: BeginPath.GDI32(?), ref: 001696B9
Part of subcall function 00169639: SelectObject.GDI32(?,00000000), ref: 001696E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 001E8A4E
LineTo.GDI32(?,00000003,00000000), ref: 001E8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 001E8A70
LineTo.GDI32(?,00000000,00000003), ref: 001E8A80
EndPath.GDI32(?), ref: 001E8A90
StrokePath.GDI32(?), ref: 001E8AA0

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 5af7783120f87bfc5e09a2d44b479914eb499d7e4c244e4242c019e68754f018
Instruction ID: eeb7f5a6344fb4375fe8bca76424d5e19332916df040813432f6a0332e282022
Opcode Fuzzy Hash: 5af7783120f87bfc5e09a2d44b479914eb499d7e4c244e4242c019e68754f018
Instruction Fuzzy Hash: 6B11FA7600018CFFDF129F90DC88E9A7F6CEB04354F048021FA199A161C7719D96DFA0

Function 001B51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001B5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 001B5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001B5230
ReleaseDC.USER32(00000000,00000000), ref: 001B5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 001B524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 001B5261

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e510246554c4b1418858a633d4e769a26d89ed7a70a0326823cd3c7e72d21dcf
Instruction ID: a92306d1311c1b2ddf1f1949c95f44c5d1bd7ad9d0cfa792bbf260d037287369
Opcode Fuzzy Hash: e510246554c4b1418858a633d4e769a26d89ed7a70a0326823cd3c7e72d21dcf
Instruction Fuzzy Hash: 56014F75A01758BBEB109BE59C89B5EBFB9EB48751F044065FA04AB681D7709801CBA0

Function 00151BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00151BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00151BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00151C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00151C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00151C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00151C22

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 444314952d53945dd294172417cb2fb18c8b4022d8512ac8f28cdbf4b0f084c4
Instruction ID: 9449716f2269e0a604b0a56bf2ae3351ee80d5c4276e1efa883046dac3c74053
Opcode Fuzzy Hash: 444314952d53945dd294172417cb2fb18c8b4022d8512ac8f28cdbf4b0f084c4
Instruction Fuzzy Hash: 950148B09027597DE3008F5A8C85A56FFA8FF19354F04411B915C4BA41C7B5A864CBE5

Function 001BEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001BEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001BEB46
GetWindowThreadProcessId.USER32(?,?), ref: 001BEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001BEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001BEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001BEB75

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 90f1e167e3778356be1f20d07af77b06a633e7c8ffac300ac057b837ddc04efc
Instruction ID: 03cee1823f82090a5c5afe3b0c74c039e346dcc77282acf413ae6adfe08b9561
Opcode Fuzzy Hash: 90f1e167e3778356be1f20d07af77b06a633e7c8ffac300ac057b837ddc04efc
Instruction Fuzzy Hash: E9F03072140198BBE72157929C4DEEF3A7CEFCAB11F000158FA01D5591D7A05A42C6F5

Function 001A7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 001A7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 001A7469
GetWindowDC.USER32(?), ref: 001A7475
GetPixel.GDI32(00000000,?,?), ref: 001A7484
ReleaseDC.USER32(?,00000000), ref: 001A7496
GetSysColor.USER32(00000005), ref: 001A74B0

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 1dd899051d4d56dabb49643fdd02a47a7a83219362e87867ca21e9a0695880b8
Instruction ID: 21c2492fb191562cf68c09642062bb26093381affaf7d2154fb6c6b33d76eeba
Opcode Fuzzy Hash: 1dd899051d4d56dabb49643fdd02a47a7a83219362e87867ca21e9a0695880b8
Instruction Fuzzy Hash: 9B018B31500255EFDB105FA4DC48BEEBBB6FF48311F110064F926A65A0CB311E92AB90

Function 001B1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001B187F
UnloadUserProfile.USERENV(?,?), ref: 001B188B
CloseHandle.KERNEL32(?), ref: 001B1894
CloseHandle.KERNEL32(?), ref: 001B189C
GetProcessHeap.KERNEL32(00000000,?), ref: 001B18A5
HeapFree.KERNEL32(00000000), ref: 001B18AC

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: ec06589542ab737535113294c191bfa64577150a24cffe8e71841a4fb023e7e6
Instruction ID: be25b518466eaa1fdf5bf89df514c9f5f956db2d9e383008f828890ecafd2c38
Opcode Fuzzy Hash: ec06589542ab737535113294c191bfa64577150a24cffe8e71841a4fb023e7e6
Instruction Fuzzy Hash: 14E0E536004241FBDB015FE1ED4C90EBF39FF4AB22B108220F62589870CB3294A2DF90

Function 0015BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0015BEB3

Strings

D%"D%", xrefs: 0015BCA5
D%", xrefs: 0015BE9A
D%", xrefs: 0015BDED, 0015BD91, 0015BD1B
D%", xrefs: 0015BCA2

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%"$D%"$D%"$D%"D%"
API String ID: 1385522511-2824579510
Opcode ID: adda9341f65259f804ef7e67853dc30e166aad948748640bf68615323035af01
Instruction ID: 25f4e7b776448bdbb4891d8ed75c567522f66192cd249da84d1df6a27f3a6db5
Opcode Fuzzy Hash: adda9341f65259f804ef7e67853dc30e166aad948748640bf68615323035af01
Instruction Fuzzy Hash: 85916A75A0820ADFCB18CF98C0D16A9B7F1FF58315F248169E965AB350E731ED89CB90

Function 001BC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00157620: _wcslen.LIBCMT ref: 00157625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001BC6EE
_wcslen.LIBCMT ref: 001BC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001BC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 001BC7CA

Strings

0, xrefs: 001BC6AF

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 06d29619258a499abf610f192a269bef2d5a60e0e870ca308dfd814ffd49bad3
Instruction ID: ce6e03d37aafc10d1c07db169108cfe29392bfab8b7c8360c9daa3319b160de5
Opcode Fuzzy Hash: 06d29619258a499abf610f192a269bef2d5a60e0e870ca308dfd814ffd49bad3
Instruction Fuzzy Hash: 6251FF726043019BD714DF68C885BEBB7E8AFA9310F040A2DF9A5D72A0DB70D814CBD2

Function 001DAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 001DAEA3

Part of subcall function 00157620: _wcslen.LIBCMT ref: 00157625

GetProcessId.KERNEL32(00000000), ref: 001DAF38
CloseHandle.KERNEL32(00000000), ref: 001DAF67

Strings

<, xrefs: 001DAE6B
@, xrefs: 001DAE72

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 8bd17982f7722981dc06f602ca375103840b13eba75af7062616c5dd17cb22fe
Instruction ID: d979d4b7092b142707d0d6f89055401a653f01793b977740b9181b5ea0f54bc4
Opcode Fuzzy Hash: 8bd17982f7722981dc06f602ca375103840b13eba75af7062616c5dd17cb22fe
Instruction Fuzzy Hash: 6F717771A00618DFCB14DFA4D485A9EBBF0BF08301F44849AE866AF392D770ED45CB91

Function 001B719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001B7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 001B723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001B724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001B72CF

Strings

DllGetClassObject, xrefs: 001B7242

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 78e58e9e41c1ba3d7ab008f865c23814530678ffc25eec974ab7e97eae850844
Instruction ID: f7efbdecb95adbb24db153f526c3ba531b84d2f0095e49ae899cdcdc5970d26a
Opcode Fuzzy Hash: 78e58e9e41c1ba3d7ab008f865c23814530678ffc25eec974ab7e97eae850844
Instruction Fuzzy Hash: 0C413171A04204EFDB15CF94C984ADA7BA9EF98310F1580ADFD05DF28AD7B1DA45CBA0

Function 001E3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001E3E35
IsMenu.USER32(?), ref: 001E3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001E3E92
DrawMenuBar.USER32 ref: 001E3EA5

Strings

0, xrefs: 001E3D89

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: d8a12d2934cb9476736179d6a3e49271f5256e0f7e6f5699a9aecdedce7f236e
Instruction ID: 22d57d3796b875e35a2fbaee2e2503188e99102955be85117e2f42da572caa05
Opcode Fuzzy Hash: d8a12d2934cb9476736179d6a3e49271f5256e0f7e6f5699a9aecdedce7f236e
Instruction Fuzzy Hash: 1C418A74A00649EFDB14DF91D888EAEBBB5FF48350F044129F825AB250D330AE42CF90

Function 001B1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001B3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001B1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 001B1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 001B1EA9

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

Strings

ListBox, xrefs: 001B1E25
ComboBox, xrefs: 001B1DF0

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 0ce7dc382050a575be84dd22661f5223c784dd04390d1a379f4b1c80f8b7f9e8
Instruction ID: 049a35a52cbbd5588a56f9212f69565ce58bee781df664f6186c34d139814ff1
Opcode Fuzzy Hash: 0ce7dc382050a575be84dd22661f5223c784dd04390d1a379f4b1c80f8b7f9e8
Instruction Fuzzy Hash: DD218B71A00104FEDB049BA4DC95CFFBBB8DF66350B954019FC21AB1E1DB34890A8660

Function 001E2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001E2F8D
LoadLibraryW.KERNEL32(?), ref: 001E2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001E2FA9
DestroyWindow.USER32(?), ref: 001E2FB1

Strings

SysAnimate32, xrefs: 001E2F68

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 0f189231cb64986254bb52c54fba3cc42cb69864f476434765eacebaa4d637ab
Instruction ID: 220eab493e316ff1c9be479fe09a3f774dc70ef901ddde7ff06ab4797fb5cb11
Opcode Fuzzy Hash: 0f189231cb64986254bb52c54fba3cc42cb69864f476434765eacebaa4d637ab
Instruction Fuzzy Hash: 0E21CD72600685ABEB204FA6DCA1FBF77BDEB69364F100228FA50D7190D771DC9197A0

Function 00174D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00174D1E,001828E9,?,00174CBE,001828E9,002188B8,0000000C,00174E15,001828E9,00000002), ref: 00174D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00174DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00174D1E,001828E9,?,00174CBE,001828E9,002188B8,0000000C,00174E15,001828E9,00000002,00000000), ref: 00174DC3

Strings

CorExitProcess, xrefs: 00174D98
mscoree.dll, xrefs: 00174D86

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 073e18a6e9af43fd527c4f976406648d54d2c504603394560a2b8660a0ccaf5e
Instruction ID: 42286adc43b6447e5a1c4ceec0a82dc098da173af7116daf8408f076b1ae984d
Opcode Fuzzy Hash: 073e18a6e9af43fd527c4f976406648d54d2c504603394560a2b8660a0ccaf5e
Instruction Fuzzy Hash: F3F04F35A40308FBDB129FD4DC49BEDBBB5EF58752F0441A8F949A6660DB309A81CAD0

Function 00154E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00154EDD,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00154EAE
FreeLibrary.KERNEL32(00000000,?,?,00154EDD,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154EC0

Strings

kernel32.dll, xrefs: 00154E94
Wow64DisableWow64FsRedirection, xrefs: 00154EA8

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 1a6024698cd0fe5148168b84e6f8a5dfd18af3e8c7689f190f5cfefc9d67495a
Instruction ID: be3d013bd8dfdbdf47974ead1180368ea9011aa367aadbbc6be0b0770b288f19
Opcode Fuzzy Hash: 1a6024698cd0fe5148168b84e6f8a5dfd18af3e8c7689f190f5cfefc9d67495a
Instruction Fuzzy Hash: 4FE0CD35E01622DBD2311765AC1DB9F6595EF82F677090115FC10DB100DB74CD8744F4

Function 00154E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00193CDE,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00154E74
FreeLibrary.KERNEL32(00000000,?,?,00193CDE,?,00221418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00154E87

Strings

kernel32.dll, xrefs: 00154E5B
Wow64RevertWow64FsRedirection, xrefs: 00154E6E

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 832668110094dc01b2eabea40d258678c640547807e14ce180f749cbe5bca192
Instruction ID: b7639192e3c66d02ee714366046c33bc27093985dbd3e6533818d3e8189d924e
Opcode Fuzzy Hash: 832668110094dc01b2eabea40d258678c640547807e14ce180f749cbe5bca192
Instruction Fuzzy Hash: A5D0C231902A61E7A6221B256C09DCF2A18EF85F563090114BC10AA110CF34CD8285D0

Function 001C2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001C2C05
DeleteFileW.KERNEL32(?), ref: 001C2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001C2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001C2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001C2CC0

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: f3baee7255ec943011a97c361619386fe6c0f4172e6e69d71d7ae97d6530ca4e
Instruction ID: 4615b53e8d2ec19ea7ace31d2033b3696d09487e5d0c7df43563d4651fcfb31f
Opcode Fuzzy Hash: f3baee7255ec943011a97c361619386fe6c0f4172e6e69d71d7ae97d6530ca4e
Instruction Fuzzy Hash: 35B13E71900119ABDF25DBA4CC85FDEB7BDEF69350F1040AAF909A7141EB30DA448B61

Function 001DA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 001DA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001DA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 001DA468
CloseHandle.KERNEL32(?), ref: 001DA63D

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 024bf23b1334207187a7d70a27a78fd60779a35f985f610895249091025d3b89
Instruction ID: d81b1adf4ea3605746f018c4429fd4f90e5c0d04b8711bf956d938dc5d1db309
Opcode Fuzzy Hash: 024bf23b1334207187a7d70a27a78fd60779a35f985f610895249091025d3b89
Instruction Fuzzy Hash: 11A1A1716043009FD720DF28D886F2AB7E5AF94714F54885DF96A9B392DBB0EC45CB82

Function 0018BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001F3700), ref: 0018BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0022121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0018BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00221270,000000FF,?,0000003F,00000000,?), ref: 0018BC36
_free.LIBCMT ref: 0018BB7F

Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0

_free.LIBCMT ref: 0018BD4B

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: b1c59df9dc5a73b079a3b9a9f977fe5a962298ae621bf340a483f7147a7a9a28
Instruction ID: c1d7c6c9ea1a6fc1eb2c653fea2e0db6393b865b6372c5ac80b2619db05ff2f5
Opcode Fuzzy Hash: b1c59df9dc5a73b079a3b9a9f977fe5a962298ae621bf340a483f7147a7a9a28
Instruction Fuzzy Hash: 6051D871908219EFCB24FFA59CC59AEB7B8AF64310B10436AF814D71A1EB309F418F50

Function 001BE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001BCF22,?), ref: 001BDDFD

Part of subcall function 001BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001BCF22,?), ref: 001BDE16

Part of subcall function 001BE199: GetFileAttributesW.KERNEL32(?,001BCF95), ref: 001BE19A

lstrcmpiW.KERNEL32(?,?), ref: 001BE473
MoveFileW.KERNEL32(?,?), ref: 001BE4AC
_wcslen.LIBCMT ref: 001BE5EB
_wcslen.LIBCMT ref: 001BE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 001BE650

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: e9f1f7f81ed2d22c12e80ecce6dd7347809beb3ab4a770d954dd7ea69db08126
Instruction ID: e4e14eb6f10e32388944786fbd4b372fe7c38388edb07f83c299f04b5d9b5507
Opcode Fuzzy Hash: e9f1f7f81ed2d22c12e80ecce6dd7347809beb3ab4a770d954dd7ea69db08126
Instruction Fuzzy Hash: 5E5153B24083859BC724DBA4DC819DF73ECAF95340F00492EF689D7191EF75A68C8766

Function 001DB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001DB6AE,?,?), ref: 001DC9B5
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DC9F1
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA68
Part of subcall function 001DC998: _wcslen.LIBCMT ref: 001DCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001DBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001DBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001DBB63
RegCloseKey.ADVAPI32(?,?), ref: 001DBBA6
RegCloseKey.ADVAPI32(00000000), ref: 001DBBB3

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 657680c8d6d806752cbe68fd602fd7a1dd4213e762a873070bc820da0ce8ae33
Instruction ID: 794fa9a652abc7f52174d00c4422fd1d865f7f802576022efa2c4b45f9ce44a3
Opcode Fuzzy Hash: 657680c8d6d806752cbe68fd602fd7a1dd4213e762a873070bc820da0ce8ae33
Instruction Fuzzy Hash: B2612A31208241EFD714DF54C8D1E2ABBE5BF84308F55895EF49A8B2A2DB31ED45CB92

Function 001B8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001B8BCD
VariantClear.OLEAUT32 ref: 001B8C3E
VariantClear.OLEAUT32 ref: 001B8C9D
VariantClear.OLEAUT32(?), ref: 001B8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 001B8D3B

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: f007cf2f633de0a7c347d8c86cdebb41ad97e14fcdd33fdb89f0eae85f3bf2ca
Instruction ID: 5d89eaa1567797e7967c3384e7f7852d5be5ffef6afd645e0db0477f1390e12d
Opcode Fuzzy Hash: f007cf2f633de0a7c347d8c86cdebb41ad97e14fcdd33fdb89f0eae85f3bf2ca
Instruction Fuzzy Hash: F6516AB5A00219EFCB14CF68C894AEAB7F8FF8D710B15855AE909DB350E730E911CB90

Function 001C8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001C8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 001C8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 001C8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 001C8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001C8C5F

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 2dd201c2d644114e8066d3612fe661b6367a5913cc37b3a23d4700ca65ec0d05
Instruction ID: 2780e3c34c26c0cf3772a560e3aedfe3f933597bdbdd8a201400bd3eba70c0ca
Opcode Fuzzy Hash: 2dd201c2d644114e8066d3612fe661b6367a5913cc37b3a23d4700ca65ec0d05
Instruction Fuzzy Hash: 70513835A00215DFCB04DF64D881EADBBF5BF58314F088458E859AB3A2DB31ED55CB90

Function 001D8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 001D8F40
GetProcAddress.KERNEL32(00000000,?), ref: 001D8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 001D8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 001D9032
FreeLibrary.KERNEL32(00000000), ref: 001D9052

Part of subcall function 0016F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,001C1043,?,7529E610), ref: 0016F6E6
Part of subcall function 0016F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,001AFA64,00000000,00000000,?,?,001C1043,?,7529E610,?,001AFA64), ref: 0016F70D

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 1bcb264de524da8c68fd97e4c9c86c691c9a87ff137934c8bbd553fb17d63559
Instruction ID: 55dbca4feff6290d00a17cd06bc149cb10f36b5ead40adc4df62f888b0303c59
Opcode Fuzzy Hash: 1bcb264de524da8c68fd97e4c9c86c691c9a87ff137934c8bbd553fb17d63559
Instruction Fuzzy Hash: 6F515C35604205DFCB15EF68D4848ADBBF1FF59314B0580A9E81A9F362DB31ED8ACB91

Function 001E6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 001E6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 001E6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 001E6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,001CAB79,00000000,00000000), ref: 001E6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 001E6CC7

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 9a7d9f05e04da60fdc43c99a4b5471cb8341ddb7ae7ae70d8a2750c2954d00bf
Instruction ID: 8bde7ba1e71ddbf6e67be9aae008adb3258c26e98a2492320cafce4b546be42b
Opcode Fuzzy Hash: 9a7d9f05e04da60fdc43c99a4b5471cb8341ddb7ae7ae70d8a2750c2954d00bf
Instruction Fuzzy Hash: 8741F735600584AFD724CF6ACC98FAD7BA5EB19390F650228FC99A73E0C371ED41CA80

Function 00182051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001820C3
_free.LIBCMT ref: 001820E3

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 63a239796ca843c4b27a952fbeee5dd19c71b93c954a33a1c89f9c7b6852653a
Instruction ID: 70b838e9fca00b8ca448654e9b1d255c0162866eaf89ada6b0eb898f84553216
Opcode Fuzzy Hash: 63a239796ca843c4b27a952fbeee5dd19c71b93c954a33a1c89f9c7b6852653a
Instruction Fuzzy Hash: BB41D376A002009FCB25EF78C885A9DB7F5EF99314F268569E515EB391DB31EE01CB80

Function 0016912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00169141
ScreenToClient.USER32(00000000,?), ref: 0016915E
GetAsyncKeyState.USER32(00000001), ref: 00169183
GetAsyncKeyState.USER32(00000002), ref: 0016919D

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9f756a24147d76ac289acef590693bb1f4f4333c7f1c6cb7949cb0da69e48891
Instruction ID: c32a2d5036ef5c5d77177310a138939da6bd5106d9c9cecd2e6a31c48aa97bb3
Opcode Fuzzy Hash: 9f756a24147d76ac289acef590693bb1f4f4333c7f1c6cb7949cb0da69e48891
Instruction Fuzzy Hash: 2B415E75A0864AEBDF199F68CC44BEEB7B8FF06330F248215E425A72D0C7346A54CB91

Function 001C3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001C38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 001C3922
TranslateMessage.USER32(?), ref: 001C394B
DispatchMessageW.USER32(?), ref: 001C3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001C3966

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 104c46737bd892c78bc9a54177bc9779ed329bcccbc24e76a682f429c596af81
Instruction ID: de07da64279ef1423df1163ddd52559559d8c7e2f1c386c9d47191b31e3a7bcf
Opcode Fuzzy Hash: 104c46737bd892c78bc9a54177bc9779ed329bcccbc24e76a682f429c596af81
Instruction Fuzzy Hash: 7731B970904381AEEB35CBB4AC4DFB677A4AB35308F04856DE472865A0D3F5D686CB51

Function 001CCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,001CC21E,00000000), ref: 001CCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 001CCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,001CC21E,00000000), ref: 001CCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,001CC21E,00000000), ref: 001CCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,001CC21E,00000000), ref: 001CCFF2

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 4bb4ba25f0acecce699c0f44626891e9ba85824c3d35a95482f2d6a41ade4ed5
Instruction ID: 4c06c71d1c9792f0457488f15fef66c0b22df8b005b0fb17a822d8f05329ce31
Opcode Fuzzy Hash: 4bb4ba25f0acecce699c0f44626891e9ba85824c3d35a95482f2d6a41ade4ed5
Instruction Fuzzy Hash: 5C314B71900205AFDB24DFA5D884EAEBBF9EB24350B10442EF51AD6540DB30EE41DBA0

Function 001B1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001B1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 001B19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 001B19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 001B19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 001B19E2

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: dac19da16d6f1bf9f99bf966ab993ad51d96ebde6e24deb9460be94268ee72a9
Instruction ID: 00f8b5812e3b08875a98a42a7f0d70d1515674c032fa034aed988536738ffd84
Opcode Fuzzy Hash: dac19da16d6f1bf9f99bf966ab993ad51d96ebde6e24deb9460be94268ee72a9
Instruction Fuzzy Hash: 6A31C072A00259FFCB04CFA8CDA9ADE3BB5EB05319F514229F921EB2D1C7709944CB90

Function 001E5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 001E5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 001E579D
_wcslen.LIBCMT ref: 001E57AF
_wcslen.LIBCMT ref: 001E57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 001E5816

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 483fbff1a91d98e8a25715c84f16fb7f69900c74e6250a69d474c852f9994732
Instruction ID: eb62fbbe09eb0fbf4546a175201c600512fb0a6b3e4760f3f22ee9e8a4d0a58c
Opcode Fuzzy Hash: 483fbff1a91d98e8a25715c84f16fb7f69900c74e6250a69d474c852f9994732
Instruction Fuzzy Hash: 8021A531D04A989ADB208FA1CC84AEE7BB9FF14328F148216E919EB1C1E7708985CF50

Function 001D0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001D0951
GetForegroundWindow.USER32 ref: 001D0968
GetDC.USER32(00000000), ref: 001D09A4
GetPixel.GDI32(00000000,?,00000003), ref: 001D09B0
ReleaseDC.USER32(00000000,00000003), ref: 001D09E8

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5e5597632bce9635dd8546a505fe3e8fab7f1da0714272e41b1629c03a08f3ef
Instruction ID: a79f7cd2c16cf434429be110859946a4f6b2228885591f96f115cf7f3228d353
Opcode Fuzzy Hash: 5e5597632bce9635dd8546a505fe3e8fab7f1da0714272e41b1629c03a08f3ef
Instruction Fuzzy Hash: 7A216F35600204AFD704EFA9DC94AAEBBE5FF58701F04846DE85ADB752DB70AC45CB90

Function 0018CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0018CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0018CDE9

Part of subcall function 00183820: RtlAllocateHeap.NTDLL(00000000,?,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6,?,00151129), ref: 00183852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0018CE0F
_free.LIBCMT ref: 0018CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0018CE31

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f4b2845e8363dc79ed137dc846a2b53a77e1cc5a9c44b2e77522147284e53798
Instruction ID: e958602a2ae63b4e5817c00d4e1eae09f62383bd76fd0888ea4d19a03a944981
Opcode Fuzzy Hash: f4b2845e8363dc79ed137dc846a2b53a77e1cc5a9c44b2e77522147284e53798
Instruction Fuzzy Hash: D40184726016557F232136BA6C88D7F6E6DEFC6BA13154129F905C7201EB718F028BF0

Function 00169639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00169693
SelectObject.GDI32(?,00000000), ref: 001696A2
BeginPath.GDI32(?), ref: 001696B9
SelectObject.GDI32(?,00000000), ref: 001696E2

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5169f6e42dfb5c5c2bc93393e032814e41d3b6068bffa3a63fa961d53a09697d
Instruction ID: e44c796555f198626d25065c5465cccc452d12356bef9d7c3f5710b95ac31fdf
Opcode Fuzzy Hash: 5169f6e42dfb5c5c2bc93393e032814e41d3b6068bffa3a63fa961d53a09697d
Instruction Fuzzy Hash: F9214CB0802385EBDB219FA4EC58BAD3BA9BF61755F10061AF410A61B0D37099F3CF94

Function 001B5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001B5726
_memcmp.LIBVCRUNTIME ref: 001B5744
_memcmp.LIBVCRUNTIME ref: 001B5757
_memcmp.LIBVCRUNTIME ref: 001B576F
_memcmp.LIBVCRUNTIME ref: 001B5787

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 3a57c3e1db3537d09648e8c684d3ce9d96f5964333bab13e0d5b8ee069afe72a
Instruction ID: 3e744240950d7f23664eb20e4685a98fd9e3055b593b1d9a5091baeb7cab6983
Opcode Fuzzy Hash: 3a57c3e1db3537d09648e8c684d3ce9d96f5964333bab13e0d5b8ee069afe72a
Instruction Fuzzy Hash: 0F017971741A05BBE30857159D82FFF736FAB713A8FA44025FD089B641FB61EE1282A1

Function 00182DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0017F2DE,00183863,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6), ref: 00182DFD
_free.LIBCMT ref: 00182E32
_free.LIBCMT ref: 00182E59
SetLastError.KERNEL32(00000000,00151129), ref: 00182E66
SetLastError.KERNEL32(00000000,00151129), ref: 00182E6F

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: bf65d64b554494f2a9de40a0d988fbf98899517144fcb6ad5a623077a1ae846c
Instruction ID: b74181cce1624f5f65229d36570dc6011b31d137c78fe4e5194cb2eb77382830
Opcode Fuzzy Hash: bf65d64b554494f2a9de40a0d988fbf98899517144fcb6ad5a623077a1ae846c
Instruction Fuzzy Hash: D3012836645A007BC62377747C89D6F265EABE17B5B364028F825A32D2EF348F014F64

Function 001B000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?,?,001B035E), ref: 001B002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?), ref: 001B0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?), ref: 001B0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?), ref: 001B0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001AFF41,80070057,?,?), ref: 001B0070

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: c10d0cd7b368cf0e37a33ae62399fbd4a67cc09aadead78c4f029ad64945c1b7
Instruction ID: 5e82318942e018037074c7c26c7a91e17c5eb2299172f563645bd6342c1c84dc
Opcode Fuzzy Hash: c10d0cd7b368cf0e37a33ae62399fbd4a67cc09aadead78c4f029ad64945c1b7
Instruction Fuzzy Hash: CA018F72600204BFDB125FA8DC44FEF7AADEB48791F144128F905D6210D771DD818BA0

Function 001BE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 001BE997
QueryPerformanceFrequency.KERNEL32(?), ref: 001BE9A5
Sleep.KERNEL32(00000000), ref: 001BE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 001BE9B7
Sleep.KERNEL32 ref: 001BE9F3

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 6a1925cb3ca0607944f05eadc184df51a5ffd1a0c906d7128ed5216db8e2cc24
Instruction ID: fa44b8d00f33f95147c47a4bbdbc8ef91c4de7321d3296911f926bbd54e334ef
Opcode Fuzzy Hash: 6a1925cb3ca0607944f05eadc184df51a5ffd1a0c906d7128ed5216db8e2cc24
Instruction Fuzzy Hash: 99012531C01629DBCF00AFE5DC99AEDBBB8FF09705F010556E902B6241CB30A699CBA1

Function 001B10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001B1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001B0B9B,?,?,?), ref: 001B1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001B114D

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: f76494255bdeda662568a3f15695662905a798cffad94144f2a9fcc165262753
Instruction ID: 465eebd2543eb461139ff385fef29d4f5b5d0c48c1df7439c1ab3acb9955c346
Opcode Fuzzy Hash: f76494255bdeda662568a3f15695662905a798cffad94144f2a9fcc165262753
Instruction Fuzzy Hash: FB018179500205BFDB114FA8DC89EAE3F6EEF86360B150418FA41C7350DB31DC418BA0

Function 001B0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001B0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001B0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001B0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001B0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001B1002

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f2ce5e3445e4cb6bb67e75d652101ae0854e26ba7e2259fe31d57c8f6447a040
Instruction ID: 599e9936f87d08dfc6ea5be66b7b6e55289394f4995e8dd25743e20eae4b6c2e
Opcode Fuzzy Hash: f2ce5e3445e4cb6bb67e75d652101ae0854e26ba7e2259fe31d57c8f6447a040
Instruction Fuzzy Hash: C1F04939200345FBDB215FA49C8DF9A3BADEF8A762F614415FE45CA651CB70DC818BA0

Function 001B1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001B102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001B1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001B1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001B104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001B1062

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 56869306bf8377c448402fe25ccb47275ff7832e29634f1e5da809ec873a3120
Instruction ID: cdb0f7641aa69fefaf5f8958020618415bc2e9da5b5d7ae4a01c25d16c6d56bd
Opcode Fuzzy Hash: 56869306bf8377c448402fe25ccb47275ff7832e29634f1e5da809ec873a3120
Instruction Fuzzy Hash: 61F04F39100341FBD7215FA4EC99F9A3B6DEF8A761F610414FD45CA650CB70D8818AA0

Function 001C030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C0324
CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C0331
CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C033E
CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C034B
CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C0358
CloseHandle.KERNEL32(?,?,?,?,001C017D,?,001C32FC,?,00000001,00192592,?), ref: 001C0365

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fdc14175c91c69d7c468d612b0cadb219369c9fbd1fec103cba9190b497c596e
Instruction ID: a38da16d7f258c06d9e74c4272991f74404e954a857839e5a82c99d01665fd7a
Opcode Fuzzy Hash: fdc14175c91c69d7c468d612b0cadb219369c9fbd1fec103cba9190b497c596e
Instruction Fuzzy Hash: FB01EE72800B81CFCB32AF66D880802FBF9BF603153059A3FD19252931C3B1A989CF80

Function 0018D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0018D752

Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0

_free.LIBCMT ref: 0018D764
_free.LIBCMT ref: 0018D776
_free.LIBCMT ref: 0018D788
_free.LIBCMT ref: 0018D79A

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4983f00e7595060a01d7321fc2dc210ae95114eae5681df88db95a08c6e502d4
Instruction ID: c65d8b95ff346c1a461134dce79e44d5ca6767d63c1cfe7225bc4c62264a7d1c
Opcode Fuzzy Hash: 4983f00e7595060a01d7321fc2dc210ae95114eae5681df88db95a08c6e502d4
Instruction Fuzzy Hash: 94F03632944314AB8622FB68F9C6C5677EDBB547187A64C05F048D7541CB34FD808F64

Function 001B5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 001B5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 001B5C6F
MessageBeep.USER32(00000000), ref: 001B5C87
KillTimer.USER32(?,0000040A), ref: 001B5CA3
EndDialog.USER32(?,00000001), ref: 001B5CBD

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 61c168d5ba03c7aaabecb895d54a4a86fcd26dc61b36cba3664dd5106a27d5e0
Instruction ID: e3dcab7e899e61fb01312033fd6db4893d599fc4163af640aded9e4908bcc629
Opcode Fuzzy Hash: 61c168d5ba03c7aaabecb895d54a4a86fcd26dc61b36cba3664dd5106a27d5e0
Instruction Fuzzy Hash: 61018130500B44ABEB245B50DD8EFEA7BBEBB04B05F000559E583A55E1DBF0A9898BD0

Function 001822A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001822BE

Part of subcall function 001829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000), ref: 001829DE
Part of subcall function 001829C8: GetLastError.KERNEL32(00000000,?,0018D7D1,00000000,00000000,00000000,00000000,?,0018D7F8,00000000,00000007,00000000,?,0018DBF5,00000000,00000000), ref: 001829F0

_free.LIBCMT ref: 001822D0
_free.LIBCMT ref: 001822E3
_free.LIBCMT ref: 001822F4
_free.LIBCMT ref: 00182305

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2253b49d67bf9e44c06f505277f11ad871e710050b80465cff6056c6cfb44e0a
Instruction ID: 107266f03a7132f327449c6597ddb6fe465b9aa4763c1166d01daab8b524b9b5
Opcode Fuzzy Hash: 2253b49d67bf9e44c06f505277f11ad871e710050b80465cff6056c6cfb44e0a
Instruction Fuzzy Hash: 3CF030B4880130AB8623BFD4BC498483B65B7387507122606F814D3272CF3416639FA4

Function 001695C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001695D4
StrokeAndFillPath.GDI32(?,?,001A71F7,00000000,?,?,?), ref: 001695F0
SelectObject.GDI32(?,00000000), ref: 00169603
DeleteObject.GDI32 ref: 00169616
StrokePath.GDI32(?), ref: 00169631

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: de59e9464d4e1be9db61c502809dd9f6839b8909dedc0c1e2b735deb374f4970
Instruction ID: 4c524640da1133d827d86fe88e92990ec3bcc0cd4ca179ec3a1cad6367edb3fb
Opcode Fuzzy Hash: de59e9464d4e1be9db61c502809dd9f6839b8909dedc0c1e2b735deb374f4970
Instruction Fuzzy Hash: B2F0C9350053C8EBDB265FA9ED5CB683B65AB11322F049214F465594F0C73089F7DF60

Function 00180F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001810F9
__freea.LIBCMT ref: 00181117

Part of subcall function 00181537: _free.LIBCMT ref: 0018154F

Strings

a/p, xrefs: 001811DE
am/pm, xrefs: 0018117A

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 162ae20fbf80fe996205bb6fa14d8d49e0f359ea18329e70d1903acecf63fb78
Instruction ID: 6a427964ef79f1e446761cf10dcdfe939daafe30cd2ebca6cab6a48620859363
Opcode Fuzzy Hash: 162ae20fbf80fe996205bb6fa14d8d49e0f359ea18329e70d1903acecf63fb78
Instruction Fuzzy Hash: BED10433900206EACB28BF68C845BFAB7B9FF16710F294159E9059B650D3759F82CF51

Function 001D61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00170242: EnterCriticalSection.KERNEL32(0022070C,00221884,?,?,0016198B,00222518,?,?,?,001512F9,00000000), ref: 0017024D
Part of subcall function 00170242: LeaveCriticalSection.KERNEL32(0022070C,?,0016198B,00222518,?,?,?,001512F9,00000000), ref: 0017028A

Part of subcall function 001700A3: __onexit.LIBCMT ref: 001700A9

__Init_thread_footer.LIBCMT ref: 001D6238

Part of subcall function 001701F8: EnterCriticalSection.KERNEL32(0022070C,?,?,00168747,00222514), ref: 00170202
Part of subcall function 001701F8: LeaveCriticalSection.KERNEL32(0022070C,?,00168747,00222514), ref: 00170235

Part of subcall function 001C359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001C35E4
Part of subcall function 001C359C: LoadStringW.USER32(00222390,?,00000FFF,?), ref: 001C360A

Strings

x#", xrefs: 001D633A
x#", xrefs: 001D636F
x#", xrefs: 001D6353

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#"$x#"$x#"
API String ID: 1072379062-2717048500
Opcode ID: 6e706fa10dd43e8dec441af0f9e90029af0efae337eed92243196b878cc4abf1
Instruction ID: bfa7aa91f0c1e63cc613c375ecdcdee27f9cb44ede8b36ed7d4e646dc2912c9d
Opcode Fuzzy Hash: 6e706fa10dd43e8dec441af0f9e90029af0efae337eed92243196b878cc4abf1
Instruction Fuzzy Hash: 31C16A71A00205AFCB14DF98D891EBEB7B9EF58340F10816AF915AB391DB70E985CB90

Function 001D7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00170242: EnterCriticalSection.KERNEL32(0022070C,00221884,?,?,0016198B,00222518,?,?,?,001512F9,00000000), ref: 0017024D
Part of subcall function 00170242: LeaveCriticalSection.KERNEL32(0022070C,?,0016198B,00222518,?,?,?,001512F9,00000000), ref: 0017028A

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001700A3: __onexit.LIBCMT ref: 001700A9

__Init_thread_footer.LIBCMT ref: 001D7BFB

Part of subcall function 001701F8: EnterCriticalSection.KERNEL32(0022070C,?,?,00168747,00222514), ref: 00170202
Part of subcall function 001701F8: LeaveCriticalSection.KERNEL32(0022070C,?,00168747,00222514), ref: 00170235

Strings

Variable must be of type 'Object'., xrefs: 001D7C3A
5, xrefs: 001D7C78
G, xrefs: 001D7C7F

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: ce5a2562f1c5ec83e222d7822ac68e1c9d8495a189bc81d7aad88bdba54b2a8b
Instruction ID: 2bb7329ad05a93c68b79b5e72f6bb6aacdf846d9924152d66c3431f61775a775
Opcode Fuzzy Hash: ce5a2562f1c5ec83e222d7822ac68e1c9d8495a189bc81d7aad88bdba54b2a8b
Instruction Fuzzy Hash: 3A918B71A04609EFCB14EF94D891DADB7B2FF59300F50805AF806AB392EB71AE45CB51

Function 001B2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001BB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001B21D0,?,?,00000034,00000800,?,00000034), ref: 001BB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 001B2760

Part of subcall function 001BB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001B21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 001BB3F8

Part of subcall function 001BB32A: GetWindowThreadProcessId.USER32(?,?), ref: 001BB355
Part of subcall function 001BB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,001B2194,00000034,?,?,00001004,00000000,00000000), ref: 001BB365
Part of subcall function 001BB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,001B2194,00000034,?,?,00001004,00000000,00000000), ref: 001BB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001B27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001B281A

Strings

@, xrefs: 001B2832

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 2116ec2efc49bd195ccf14a50201a144ab3cb7d4e618b75d7f7b3af22e78c2db
Instruction ID: 51ce2d8a171ee64ab2b5187b5b6f20aa083fb550fe0eb2cd5cef0171e9208ecd
Opcode Fuzzy Hash: 2116ec2efc49bd195ccf14a50201a144ab3cb7d4e618b75d7f7b3af22e78c2db
Instruction Fuzzy Hash: 25410B76900218AFDB10DBA4CD85AEEBBB8AF19700F104095FA55B7191DB706E89CBA1

Function 0018172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00181769
_free.LIBCMT ref: 00181834
_free.LIBCMT ref: 0018183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00181760, 00181767, 00181796, 001817CE

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 20dbab01b37013ac8751977ca752f9e95c8b61901e9df788cbc846e0edb112c0
Instruction ID: 25b1637e87d1ea04a8131f135ee3485f8733aac8d797f9f7df5d295462f39acd
Opcode Fuzzy Hash: 20dbab01b37013ac8751977ca752f9e95c8b61901e9df788cbc846e0edb112c0
Instruction Fuzzy Hash: 46318E72A00218FBDB21EB999885D9EBBFCEBA5310B1041AAF80497211D7708F42CF90

Function 001BC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 001BC306
DeleteMenu.USER32(?,00000007,00000000), ref: 001BC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00221990,01505C88), ref: 001BC395

Strings

0, xrefs: 001BC2DF

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 501a6b8ced9f348cc5f2ab86fab17f6472a3952dbd62d5fe6d05180bbe4a62a1
Instruction ID: 194bb264b45e44a142006ff3f8f18a22a391342694e33586f5769a1dbbed6b14
Opcode Fuzzy Hash: 501a6b8ced9f348cc5f2ab86fab17f6472a3952dbd62d5fe6d05180bbe4a62a1
Instruction Fuzzy Hash: D341AE312043419FD724DF25D884F9BBBE4BF95320F048A1EF8A59B2E1D770A904CBA2

Function 001E4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,001ECC08,00000000,?,?,?,?), ref: 001E44AA
GetWindowLongW.USER32 ref: 001E44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001E44D7

Strings

SysTreeView32, xrefs: 001E447C

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 17955d300f21d9198d66d35a70e32a25e6088c222b784d9d642d671db42a6d95
Instruction ID: 4f948de105af6f83bcd7a292fd7c517870a6fff8396bcedd57766362a476087a
Opcode Fuzzy Hash: 17955d300f21d9198d66d35a70e32a25e6088c222b784d9d642d671db42a6d95
Instruction Fuzzy Hash: 35319C32210A85AFDB208E79DC45BEA77A9EF08334F204325F975921D0D770AC519790

Function 001D304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001D335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,001D3077,?,?), ref: 001D3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001D307A
_wcslen.LIBCMT ref: 001D309B
htons.WSOCK32(00000000,?,?,00000000), ref: 001D3106

Strings

255.255.255.255, xrefs: 001D3095, 001D309A

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: fed38efe02cac8b68d036469b11cb5287a50e4a2b2ba62b4e4e72457dd62ba2c
Instruction ID: 36302389bd5b74fc7963aeda48b6f4581fe5c78bd5deb5353fde337ffd33a6ed
Opcode Fuzzy Hash: fed38efe02cac8b68d036469b11cb5287a50e4a2b2ba62b4e4e72457dd62ba2c
Instruction Fuzzy Hash: 8D31E739200206DFC710CF68C985EA977F0EF54318F25815AE9258F792D771EE45C762

Function 001E3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 001E3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 001E3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 001E3F78

Strings

SysMonthCal32, xrefs: 001E3F0B

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 8eb197c1462b58c79c10457f422fe0326e82cceb01a9d71582fab179219b30fa
Instruction ID: 62871996ee1bea0a938621e82ff4699780f2478d46b38363542471b570526bd8
Opcode Fuzzy Hash: 8eb197c1462b58c79c10457f422fe0326e82cceb01a9d71582fab179219b30fa
Instruction Fuzzy Hash: 2D21AD32600259BBDF218F91CC86FEE3BB5EF48714F110214FA156B1D0D7B1A9918B90

Function 001E4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 001E4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 001E4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001E471A

Strings

msctls_updown32, xrefs: 001E4684

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 9445f19e3b451023975e108c6747f6949870f3ccc3e210c36d671110fa1eaf0c
Instruction ID: dcb127bb1972fdd92ed84acc346042486dc44a093492411b7665f8c063e11d23
Opcode Fuzzy Hash: 9445f19e3b451023975e108c6747f6949870f3ccc3e210c36d671110fa1eaf0c
Instruction Fuzzy Hash: A42160B5600648AFDB10DF65DCC1DAB37EDEF5A7A4B040059FA009B351CB70EC62CAA0

Function 001B95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001B961D

Strings

#notrayicon, xrefs: 001B95B7
#requireadmin, xrefs: 001B95D9
#OnAutoItStartRegister, xrefs: 001B95F3

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 62d21b9caa56c3a9e5c217b50d64e29ddcf33d4411c4851fe1fb9b99f12b719c
Instruction ID: 08d58ab944dd2d163dffa6f409810c5fcdfc3863f4d01ead0195c5f079be93af
Opcode Fuzzy Hash: 62d21b9caa56c3a9e5c217b50d64e29ddcf33d4411c4851fe1fb9b99f12b719c
Instruction Fuzzy Hash: 0D216A32244650A6D331AB25EC06FFB73E8AFA5300F10802AFF499B081EB51AD57C2D5

Function 001E37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 001E3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 001E3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 001E3876

Strings

Listbox, xrefs: 001E380F

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 902d0cd89c69e3caa52ac9ccaf1e7a7b522e829fe37bdf703a4c42d8b240ca3b
Instruction ID: c6b3af4d9b76458da474c0d44e8630a58ffee346f63180ec1bd1da2dd3f0f71e
Opcode Fuzzy Hash: 902d0cd89c69e3caa52ac9ccaf1e7a7b522e829fe37bdf703a4c42d8b240ca3b
Instruction Fuzzy Hash: 95218072610158BBEB218F96DC89EAF376AEF99750F118124F9149B190C771DC5287A0

Function 001C49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001C4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001C4A5C
SetErrorMode.KERNEL32(00000000,?,?,001ECC08), ref: 001C4AD0

Strings

%lu, xrefs: 001C4A6F

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 2011558527290d1fe8a3e3c8fe38caf8e63b1b3159c92361473511acfa11f66a
Instruction ID: 274e549ec4d2a4b158e85a112dadda25490d7f5c1a6a5db5bdf618cb7d555f1d
Opcode Fuzzy Hash: 2011558527290d1fe8a3e3c8fe38caf8e63b1b3159c92361473511acfa11f66a
Instruction Fuzzy Hash: A7312D75A00109EFDB10DF54C885EAA77E8EF15308F148099E905DF252D771ED46CBA1

Function 001E41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001E424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001E4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 001E4271

Strings

msctls_trackbar32, xrefs: 001E4226

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 256f8d92df48c74b7ab759dd77d445611d8363fc571a1b77503eb1e69e51c881
Instruction ID: 3c6b4881a58c3e623445cdec4c664c663ae3b4479144e521d80e5917a8b9eb99
Opcode Fuzzy Hash: 256f8d92df48c74b7ab759dd77d445611d8363fc571a1b77503eb1e69e51c881
Instruction Fuzzy Hash: 7011E331240288BFEF205F69DC46FAB7BACEF99B64F010124FA55E6090D371D8619B50

Function 001B2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

Part of subcall function 001B2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001B2DC5
Part of subcall function 001B2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 001B2DD6
Part of subcall function 001B2DA7: GetCurrentThreadId.KERNEL32 ref: 001B2DDD
Part of subcall function 001B2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001B2DE4

GetFocus.USER32 ref: 001B2F78

Part of subcall function 001B2DEE: GetParent.USER32(00000000), ref: 001B2DF9

GetClassNameW.USER32(?,?,00000100), ref: 001B2FC3
EnumChildWindows.USER32(?,001B303B), ref: 001B2FEB

Strings

%s%d, xrefs: 001B2FFF

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: e0311200b85fdea131d6ef3f919d41024adc6766e37fd0f756edb1ee1a12dfda
Instruction ID: aeb4f28968df2c37d281e3ec64f33db628ec5389d756338d2afc41b5962f4cbc
Opcode Fuzzy Hash: e0311200b85fdea131d6ef3f919d41024adc6766e37fd0f756edb1ee1a12dfda
Instruction Fuzzy Hash: CF11B471700205ABCF147FB08CC5EEE776AAFA9304F044075FD199B252DF70994A8BA0

Function 001E5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001E58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001E58EE
DrawMenuBar.USER32(?), ref: 001E58FD

Strings

0, xrefs: 001E588F

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: f3ca2c3e015e897d11cc784d112e53424c79791058c8028dc0fd527687f28c6c
Instruction ID: f4d0346a56bdf7918586f3873aa8091c0fb720261c98aef7a2bb8f9728d75ccb
Opcode Fuzzy Hash: f3ca2c3e015e897d11cc784d112e53424c79791058c8028dc0fd527687f28c6c
Instruction Fuzzy Hash: E701AD31600688EFDB209F52EC44BEEBFB5FF45369F008099E848DA152DB308A91DF20

Function 001AD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 001AD3BF
FreeLibrary.KERNEL32 ref: 001AD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 001AD3B9
X64, xrefs: 001AD2A8

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: cff1ae8270fda0e63b141e4d0fb782356f8e9515f18fa6d2f27ce5feb5cea9fd
Instruction ID: 7fbf4d3b65e264529e84065f51a90e0024ba89d40263040fbe092a3435428beb
Opcode Fuzzy Hash: cff1ae8270fda0e63b141e4d0fb782356f8e9515f18fa6d2f27ce5feb5cea9fd
Instruction Fuzzy Hash: 5AF05569802E21DBCB3543116C54AAD3324BF12741B5A415AF403F5808DB20CD95C2C2

Function 001B007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a280207e0aecd811d9e1302a72bde27c76ea24e314fe2f10bf85aab834fddc70
Instruction ID: cb3ccee6a1ee809fd691ac93f07862a2dd6d692361922131878023ea9a06bf95
Opcode Fuzzy Hash: a280207e0aecd811d9e1302a72bde27c76ea24e314fe2f10bf85aab834fddc70
Instruction Fuzzy Hash: 58C14C75A0021AEFDB15CFA8C898AAEB7B5FF48704F118598E505EB261D731ED81CB90

Function 00183E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00183F0B
__alldvrm.LIBCMT ref: 0018410C
__alldvrm.LIBCMT ref: 0018412E

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 7445ef4685ab88ceb853f0eacf85e1820f6bb22b5d30660a64c4433eab6d54b6
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 71A15871E003879FEB15EF18C8917AEBBE4EF61350F18416DE5959B282CB349A81CF91

Function 001D342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001D3459
CoUninitialize.OLE32 ref: 001D3463
VariantInit.OLEAUT32(?), ref: 001D346E
VariantClear.OLEAUT32(?), ref: 001D371B

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 6ab6c429bc4c692a0afacbb95eafda965b9316f7f7db1ea370120169f8298a08
Instruction ID: e7d70af082f41b1b90189db9ab7fba10cf62b3b0b52a78c2ed31423220d1313b
Opcode Fuzzy Hash: 6ab6c429bc4c692a0afacbb95eafda965b9316f7f7db1ea370120169f8298a08
Instruction Fuzzy Hash: CBA13D75604300DFC704DF28D485A2AB7E5FF98715F05885AF9999B3A1DB30EE05CB92

Function 001B0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,001EFC08,?), ref: 001B05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,001EFC08,?), ref: 001B0608
CLSIDFromProgID.OLE32(?,?,00000000,001ECC40,000000FF,?,00000000,00000800,00000000,?,001EFC08,?), ref: 001B062D
_memcmp.LIBVCRUNTIME ref: 001B064E

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 228ce35680434a1cd5918676e3822a2dd4220a4df71b777d3281d910ec8ea6fe
Instruction ID: e39592b26319df60fdc9b23054b8e0f4436dd13f782a0ead90e763e7c9cc0fb0
Opcode Fuzzy Hash: 228ce35680434a1cd5918676e3822a2dd4220a4df71b777d3281d910ec8ea6fe
Instruction Fuzzy Hash: 53810971A00209EFCB05DF98C984EEEB7B9FF89315F204558E516EB250DB71AE46CB60

Function 001DA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001DA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 001DA6BA

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Process32NextW.KERNEL32(00000000,?), ref: 001DA79C
CloseHandle.KERNEL32(00000000), ref: 001DA7AB

Part of subcall function 0016CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00193303,?), ref: 0016CE8A

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: d4be27a5b6c430441077794eef37db0e9f8bfe9aeb7a2911a3e6d9e1b88a5b7c
Instruction ID: f79779971db662369d5db8a15bece0f87c69b7aaf9b38d1ac70d47b540af7d7e
Opcode Fuzzy Hash: d4be27a5b6c430441077794eef37db0e9f8bfe9aeb7a2911a3e6d9e1b88a5b7c
Instruction Fuzzy Hash: 31516C71508300EFD710EF24D886A6BBBE8FF99754F40491DF9999B252EB70D908CB92

Function 00191391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001914C0

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d19c58542035b89ec82fb8ae987c8fb0d57feb8534b5642bd6f4274a760b994c
Instruction ID: bb03df5c9737b60ce2ec77978f155002fe242829ef646c085acb5c293937fe60
Opcode Fuzzy Hash: d19c58542035b89ec82fb8ae987c8fb0d57feb8534b5642bd6f4274a760b994c
Instruction Fuzzy Hash: B4414731A00102BBDF257BF89C466BE3AB4FF69370F254225F81897192E73489C18762

Function 001E6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001E62E2
ScreenToClient.USER32(?,?), ref: 001E6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 001E6382

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 8b681f46cfa9fff5615ef6bea497bbac3969f2a407c1632820a731b0ba257b3d
Instruction ID: 15959797951c1ad14625715ee0d381cd75643190966e0d75b73b29a7f73d56c2
Opcode Fuzzy Hash: 8b681f46cfa9fff5615ef6bea497bbac3969f2a407c1632820a731b0ba257b3d
Instruction Fuzzy Hash: BF516274900685EFCF10DF55D8849AE7BB6FF653A0F508159F9159B290D730ED81CB90

Function 001D1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 001D1AFD
WSAGetLastError.WSOCK32 ref: 001D1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001D1B8A
WSAGetLastError.WSOCK32 ref: 001D1B94

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 882fd889794751b86f880626c1f64a85ddf3807fb70bab3d8b8ec18415d88373
Instruction ID: dc9e653a9dbf206e6a483291d1a077dc99d5ca9fe0ebd34a7cc33a2bfb1aca87
Opcode Fuzzy Hash: 882fd889794751b86f880626c1f64a85ddf3807fb70bab3d8b8ec18415d88373
Instruction Fuzzy Hash: B041A034600200BFE720AF24D886F2A77E5AB58718F54845DF96A9F7D2D772ED42CB90

Function 0018B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7e1381281c8f8686ab8de43496ab58c45e9420f108623c2a2f6f954c5b532fe
Instruction ID: f2e776e55a859074d6a0b3395ef26b1f5ccc7a646f84079ab6d2fdb41c2dc6b4
Opcode Fuzzy Hash: b7e1381281c8f8686ab8de43496ab58c45e9420f108623c2a2f6f954c5b532fe
Instruction Fuzzy Hash: 60412B72A04304BFD725AF38CC82B6B7BE9EB94710F10452EF546DB292D3719A418B90

Function 001C56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001C5783
GetLastError.KERNEL32(?,00000000), ref: 001C57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001C57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001C57FA

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 30d101164f9f194c94368aeefd8349b2dd5f9df86e0b44b440dcdd8d9c743948
Instruction ID: 733dc6b9b03cdf19e4a0c0efbcba7eb371cf318c280a8343bf32ded21fccd3d1
Opcode Fuzzy Hash: 30d101164f9f194c94368aeefd8349b2dd5f9df86e0b44b440dcdd8d9c743948
Instruction Fuzzy Hash: 74415D39600610DFCB10DF55D485A5EBBE2EF99321B198488EC5AAF3A2DB30FD45CB91

Function 0018D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00176D71,00000000,00000000,001782D9,?,001782D9,?,00000001,00176D71,8BE85006,00000001,001782D9,001782D9), ref: 0018D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0018D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0018D9AB
__freea.LIBCMT ref: 0018D9B4

Part of subcall function 00183820: RtlAllocateHeap.NTDLL(00000000,?,00221444,?,0016FDF5,?,?,0015A976,00000010,00221440,001513FC,?,001513C6,?,00151129), ref: 00183852

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 3e76ae07e1325d50afdaa2586979d84d27a519f733d59ce19434bdb47ceb0573
Instruction ID: fd4bb9f7dea0009ab7939417fff7d172ac2bddd42fa3f90be23e9203136373e1
Opcode Fuzzy Hash: 3e76ae07e1325d50afdaa2586979d84d27a519f733d59ce19434bdb47ceb0573
Instruction Fuzzy Hash: B731D272A0021AABDF25AF65EC41EAE7BA5EB41714F054168FC08D7190EB35CE51CB90

Function 001E52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 001E5352
GetWindowLongW.USER32(?,000000F0), ref: 001E5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001E5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001E53A8

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 6ddcfbc5c881e481c6dcf27d6a83fc9ead0e6f431b5b1ac3b676930c20402cbf
Instruction ID: 2f491a41d5217aa22529be37b900f4ffd0c0111fb5350edc33af9b2b97fbca84
Opcode Fuzzy Hash: 6ddcfbc5c881e481c6dcf27d6a83fc9ead0e6f431b5b1ac3b676930c20402cbf
Instruction Fuzzy Hash: BA31DE34A55E88EFEB349A56CC46FED7767BB04398F584102FA10962E1C7B09980DB82

Function 001BAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 001BABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 001BAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 001BAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 001BACC6

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 6477ab89c30603a7aba665810f201caeed835101f4099f51ddf11a32736d61c5
Instruction ID: f37f863ee7e4d19b67551c6ca7b10cd812deb7ff55473df822427f5c7b52313f
Opcode Fuzzy Hash: 6477ab89c30603a7aba665810f201caeed835101f4099f51ddf11a32736d61c5
Instruction Fuzzy Hash: E9314630A00358AFFF35CB65CC497FE7FA5AF89310F84431AE481962D1D374998187A2

Function 001E7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 001E769A
GetWindowRect.USER32(?,?), ref: 001E7710
PtInRect.USER32(?,?,001E8B89), ref: 001E7720
MessageBeep.USER32(00000000), ref: 001E778C

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 4629f8127e45e0c8963f1aa0c37110ea99fda3b5b60cafb8b862a192fbb9d5a2
Instruction ID: a3581d90bca773694823afcefeba1646b45447e3f13d2e62680492b372ca3202
Opcode Fuzzy Hash: 4629f8127e45e0c8963f1aa0c37110ea99fda3b5b60cafb8b862a192fbb9d5a2
Instruction Fuzzy Hash: 0841A034A05694EFEB11CF9AD898EADB7F4FF59304F1540A8E4149B2A1C330A982CF90

Function 001E16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001E16EB

Part of subcall function 001B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001B3A57
Part of subcall function 001B3A3D: GetCurrentThreadId.KERNEL32 ref: 001B3A5E
Part of subcall function 001B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001B25B3), ref: 001B3A65

GetCaretPos.USER32(?), ref: 001E16FF
ClientToScreen.USER32(00000000,?), ref: 001E174C
GetForegroundWindow.USER32 ref: 001E1752

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: d3b4568b24014f481bf9af61d4623a5633ab50429f6427e0f9ca334ea04c68d4
Instruction ID: c278c9112368146cd88649b30dac667456a3d0518a0da61756d4290197422b01
Opcode Fuzzy Hash: d3b4568b24014f481bf9af61d4623a5633ab50429f6427e0f9ca334ea04c68d4
Instruction Fuzzy Hash: B7314171D00249AFC704EFAAC8C1CEEB7F9EF59304B50806AE425EB251D7719E45CBA0

Function 001E8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

GetCursorPos.USER32(?), ref: 001E9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,001A7711,?,?,?,?,?), ref: 001E9016
GetCursorPos.USER32(?), ref: 001E905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,001A7711,?,?,?), ref: 001E9094

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e535c185c1f15933aca1b70ebabde5f8722bf9a449ea88d2e62c704b2825381c
Instruction ID: 07a48393b80b178ff8dc94814b513866549663635535062e04964ad28ab26fb0
Opcode Fuzzy Hash: e535c185c1f15933aca1b70ebabde5f8722bf9a449ea88d2e62c704b2825381c
Instruction Fuzzy Hash: C221D172600558FFCB258F95CC98EFE7BB9EF89350F444055F9058B261C3319AA1DBA0

Function 001BD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,001ECB68), ref: 001BD2FB
GetLastError.KERNEL32 ref: 001BD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 001BD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,001ECB68), ref: 001BD376

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 4c441b3c6af76c3074bbbad3764ad812c3a8915df5723480c79fb1e8f9c9d735
Instruction ID: 63dc299bb64272bf914e0637f6592426d026b28c3aae46a2320fdac3ec6dcbea
Opcode Fuzzy Hash: 4c441b3c6af76c3074bbbad3764ad812c3a8915df5723480c79fb1e8f9c9d735
Instruction Fuzzy Hash: 9D2171B0505301DF8718DF68D8814AE77E4BF55764F104A1DF8A9CB2A2E731D94ACB93

Function 001B1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001B102A
Part of subcall function 001B1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001B1036
Part of subcall function 001B1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001B1045
Part of subcall function 001B1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001B104C
Part of subcall function 001B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001B1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001B15BE
_memcmp.LIBVCRUNTIME ref: 001B15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001B1617
HeapFree.KERNEL32(00000000), ref: 001B161E

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: ac69ad9dd6e82f02be1710118516b122188af3c4a00bab0af07b2e88e27ccdeb
Instruction ID: 43b7fdb36078d8ec6117ca69dadcea068772ad06f5cd4ad79c6a2b8bf60ef420
Opcode Fuzzy Hash: ac69ad9dd6e82f02be1710118516b122188af3c4a00bab0af07b2e88e27ccdeb
Instruction Fuzzy Hash: 1E21AC32E00208FFDF10DFA5C965BEEB7B8EF45354F4A8459E441AB241E770AA45CBA0

Function 001E2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 001E280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001E2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001E2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 001E2840

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: a712eb83de97dc02a496239b934c3f7c6e785b2a13a59c685e007a9372df1b17
Instruction ID: 5418bf91bd2b4b1b0f5f122f834d851e36490f72e5258ff4e49beafd6c6d075e
Opcode Fuzzy Hash: a712eb83de97dc02a496239b934c3f7c6e785b2a13a59c685e007a9372df1b17
Instruction Fuzzy Hash: 1121F431604990AFD7149B25CC95FAE7799AF95324F148158F8268F6D2C771FC82C7D0

Function 001B78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 001B8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,001B790A,?,000000FF,?,001B8754,00000000,?,0000001C,?,?), ref: 001B8D8C
Part of subcall function 001B8D7D: lstrcpyW.KERNEL32(00000000,?,?,001B790A,?,000000FF,?,001B8754,00000000,?,0000001C,?,?,00000000), ref: 001B8DB2
Part of subcall function 001B8D7D: lstrcmpiW.KERNEL32(00000000,?,001B790A,?,000000FF,?,001B8754,00000000,?,0000001C,?,?), ref: 001B8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,001B8754,00000000,?,0000001C,?,?,00000000), ref: 001B7923
lstrcpyW.KERNEL32(00000000,?,?,001B8754,00000000,?,0000001C,?,?,00000000), ref: 001B7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,001B8754,00000000,?,0000001C,?,?,00000000), ref: 001B7984

Strings

cdecl, xrefs: 001B797B

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1c1ba93ed84bc342ca9deca84162ea7b9cda3a458afd3c0dfc1ef8867934a517
Instruction ID: 446d6b0ead6fe286b82933afe4687ab0f7115d3e0fded0719ee9be3b60822383
Opcode Fuzzy Hash: 1c1ba93ed84bc342ca9deca84162ea7b9cda3a458afd3c0dfc1ef8867934a517
Instruction Fuzzy Hash: 1D11263A200342ABCB15AF74DC44DBA77A9FF95764B00402AF802CB2A4EB31D812C7A1

Function 001E7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 001E7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 001E7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 001E7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,001CB7AD,00000000), ref: 001E7D6B

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 2a77bd631556dfb89eb9bc08660b8b87f50442ae81bcfa2361f67333869f35ad
Instruction ID: 3ae8975035c771faa20d49b498750345ea4753a893dc68b995211411eabc8d78
Opcode Fuzzy Hash: 2a77bd631556dfb89eb9bc08660b8b87f50442ae81bcfa2361f67333869f35ad
Instruction Fuzzy Hash: 8E11AE31204A95AFDB108FA9DC44EBA3BA4BF45360B154724F835CB2F0D73089A1CB80

Function 001E5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 001E56BB
_wcslen.LIBCMT ref: 001E56CD
_wcslen.LIBCMT ref: 001E56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 001E5816

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 40bf852205a2e3ed2b573aec4d818db821c837c8d2ef5a682801f3d5bfe88e61
Instruction ID: 67c7610adf6a37e576d34c0914502f3ebba8f9f4fd3809ff34131aaf7ff82c02
Opcode Fuzzy Hash: 40bf852205a2e3ed2b573aec4d818db821c837c8d2ef5a682801f3d5bfe88e61
Instruction Fuzzy Hash: 1111D375A00A99A6DF209FA2CCC5AEE77BCEF15768F148026F915D6081E770CA80CB60

Function 00181D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 410a2a542dbd98e980337777be7eb31321473d5b1e2807328fe84dcbe564e28c
Instruction ID: 9bbe75c181fffc123f813da08482c2208d971a37fec86231d4fbec59caab65ad
Opcode Fuzzy Hash: 410a2a542dbd98e980337777be7eb31321473d5b1e2807328fe84dcbe564e28c
Instruction Fuzzy Hash: E301DBB3209A567EF62136F86CC8F2B665CDF513B8B310725F520A11D2DB208E424A60

Function 001B1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 001B1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001B1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001B1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001B1A8A

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 085ab49516526fe55bbdb1cd7b8be5f960e25dc62bcd9746105befc6a88761b8
Instruction ID: a40292b94913eb253cdb6edad3f77eaaf9eccec4fbceb0a93fb475b6c635bbc8
Opcode Fuzzy Hash: 085ab49516526fe55bbdb1cd7b8be5f960e25dc62bcd9746105befc6a88761b8
Instruction Fuzzy Hash: 5011273A901219FFEB109BA4CD85FEDBB79EB08750F210091EA00B7290D7716E50DB94

Function 001BE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001BE1FD
MessageBoxW.USER32(?,?,?,?), ref: 001BE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001BE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001BE24D

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: eaabe47dd14afea5e5b6b30c73dfd3e87c169bd923cad747b24d822996b34f39
Instruction ID: abe6a3688d147d811b50f25573720d6fc33585df944201ba5b598f0da026f622
Opcode Fuzzy Hash: eaabe47dd14afea5e5b6b30c73dfd3e87c169bd923cad747b24d822996b34f39
Instruction Fuzzy Hash: E411E176904258BBC721DBE8AC49ADE7BEDAB45320F104299F825E3291D7B099018BA0

Function 0017D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0017CFF9,00000000,00000004,00000000), ref: 0017D218
GetLastError.KERNEL32 ref: 0017D224
__dosmaperr.LIBCMT ref: 0017D22B
ResumeThread.KERNEL32(00000000), ref: 0017D249

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 5311b664bebd7f6934e739e5906f2a7be05184c1ebcc9170ca65c972c1a7ca5a
Instruction ID: fc3e66a432cae2e91e78886cfc5a2491d5d5ed5b3eac17a5a9f6fa94db7edfa8
Opcode Fuzzy Hash: 5311b664bebd7f6934e739e5906f2a7be05184c1ebcc9170ca65c972c1a7ca5a
Instruction Fuzzy Hash: DD01D236805208BBCB116BA5EC09BAF7A79EF91731F208219F929961D1CF70C942C6E0

Function 001E9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00169BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00169BB2

GetClientRect.USER32(?,?), ref: 001E9F31
GetCursorPos.USER32(?), ref: 001E9F3B
ScreenToClient.USER32(?,?), ref: 001E9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 001E9F7A

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 60fd14a6cc96986b21fed97eee685a68f536580fc6cdf52e45ba8fa14f02d8ba
Instruction ID: 74a082ac1d24f3f880566378d7b2ab32b8f7a65ce48c5ed8fe5c0768bb4689ec
Opcode Fuzzy Hash: 60fd14a6cc96986b21fed97eee685a68f536580fc6cdf52e45ba8fa14f02d8ba
Instruction Fuzzy Hash: B211367290069AABDB10DFAAD889DEE7BB9FF05311F000451F911E7151D330BA92CBE1

Function 0015600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0015604C
GetStockObject.GDI32(00000011), ref: 00156060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0015606A

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 1cb52e8c67ebc31763f474ecf7ef256dc508458a9acce96b84c2275b1ab25be6
Instruction ID: ca1273e21113052dea6ccfbe7369bdc883fc8abeabe74e4c71ce7eeee7016993
Opcode Fuzzy Hash: 1cb52e8c67ebc31763f474ecf7ef256dc508458a9acce96b84c2275b1ab25be6
Instruction Fuzzy Hash: 23118B72501648FFEF164FA4DC84EEABB69EF183A5F440201FE245A150C7369CA19BE0

Function 00173B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00173B56

Part of subcall function 00173AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00173AD2
Part of subcall function 00173AA3: ___AdjustPointer.LIBCMT ref: 00173AED

_UnwindNestedFrames.LIBCMT ref: 00173B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00173B7C
CallCatchBlock.LIBVCRUNTIME ref: 00173BA4

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 63fdb484111fcd34d67418c56c921a40c69e77d129e60978e7f4185fed160a71
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 6901E932100149BBDF125E95CC46EEB7B79EF58754F048018FE6C96121C732E961EBA1

Function 00183073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001513C6,00000000,00000000,?,0018301A,001513C6,00000000,00000000,00000000,?,0018328B,00000006,FlsSetValue), ref: 001830A5
GetLastError.KERNEL32(?,0018301A,001513C6,00000000,00000000,00000000,?,0018328B,00000006,FlsSetValue,001F2290,FlsSetValue,00000000,00000364,?,00182E46), ref: 001830B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0018301A,001513C6,00000000,00000000,00000000,?,0018328B,00000006,FlsSetValue,001F2290,FlsSetValue,00000000), ref: 001830BF

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 4468cca49bc91ffa9d4a19c46fcc8eabdb0abbd636da834eb60b895b1fb29170
Instruction ID: e03e78561e1531b4bf3e80a5f7e45164ccd89b6627098c43311297549a8ccc8e
Opcode Fuzzy Hash: 4468cca49bc91ffa9d4a19c46fcc8eabdb0abbd636da834eb60b895b1fb29170
Instruction Fuzzy Hash: AA01A732751322EBCB315BF9AC8896B7B98AF45F61B190720F925E7540D721DB42CBE0

Function 001B7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 001B747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 001B7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001B74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001B74CA

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 70be6c84edc64d056eb4cf2f5221a74543564703f454e3d7ed28dda09cd4a20a
Instruction ID: 8a6267883d3a965de25dc564b9630db69c10a9853cea973606a28e5af70636d8
Opcode Fuzzy Hash: 70be6c84edc64d056eb4cf2f5221a74543564703f454e3d7ed28dda09cd4a20a
Instruction Fuzzy Hash: 5611A1B12093149BE7209F54DC48FD67BFCEB40B01F108969E616DA5D1D770E944DB90

Function 001BB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001BACD3,?,00008000), ref: 001BB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001BACD3,?,00008000), ref: 001BB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001BACD3,?,00008000), ref: 001BB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001BACD3,?,00008000), ref: 001BB126

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: eba3e359d5183d3f03802919c0f87f922b98df4edd21ec01882598df3b64316f
Instruction ID: d7d6ca2225c388a499725ca3b9db81e3dd8fdecdda71b296ed4896f4ad965c4d
Opcode Fuzzy Hash: eba3e359d5183d3f03802919c0f87f922b98df4edd21ec01882598df3b64316f
Instruction Fuzzy Hash: 4E113971C0552CE7CF04AFE8E9E86FEBB78FF0A711F114085E941B6681CBB096518B91

Function 001E7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001E7E33
ScreenToClient.USER32(?,?), ref: 001E7E4B
ScreenToClient.USER32(?,?), ref: 001E7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 001E7E8A

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 65afbec5e2a805e3d5a04422289538ba9e167b3ffce2aa9741b6fc4711205582
Instruction ID: bffb23cd39a0255700f9c6d34ddafb1c8953016e9a434207c6277de24a4af33c
Opcode Fuzzy Hash: 65afbec5e2a805e3d5a04422289538ba9e167b3ffce2aa9741b6fc4711205582
Instruction Fuzzy Hash: 3F1186B9D0024AAFDB41CF99D8849EEBBF5FF08310F104056E911E3610D734AA95CF90

Function 001B2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001B2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 001B2DD6
GetCurrentThreadId.KERNEL32 ref: 001B2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001B2DE4

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 95c7b3b8bc58545193677c83e39086546a2ee8db14cb9dbf3674ceedbd74ee75
Instruction ID: 78eb0e92972cfff952966d3d02f5f642e533261d353615e6875261b07e5b2489
Opcode Fuzzy Hash: 95c7b3b8bc58545193677c83e39086546a2ee8db14cb9dbf3674ceedbd74ee75
Instruction Fuzzy Hash: 9DE09272101224BBDB201BF29C4DFEF7E6CEF46BA1F000019F105D55809BA0C886C6F0

Function 001E8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00169639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00169693
Part of subcall function 00169639: SelectObject.GDI32(?,00000000), ref: 001696A2
Part of subcall function 00169639: BeginPath.GDI32(?), ref: 001696B9
Part of subcall function 00169639: SelectObject.GDI32(?,00000000), ref: 001696E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 001E8887
LineTo.GDI32(?,?,?), ref: 001E8894
EndPath.GDI32(?), ref: 001E88A4
StrokePath.GDI32(?), ref: 001E88B2

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: c9951a552a88de4d3937dbfa378370f2818589534fd3bfa2054bf335c16571eb
Instruction ID: 50293e575f18c032634952dc56eae5cdf6e1a3facc1927af38d952f567ffc050
Opcode Fuzzy Hash: c9951a552a88de4d3937dbfa378370f2818589534fd3bfa2054bf335c16571eb
Instruction Fuzzy Hash: 22F03A3A041698FADB125FD4AC0DFCE3A59AF16310F048000FE12690E1C77555A2CFE5

Function 001698B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001698CC
SetTextColor.GDI32(?,?), ref: 001698D6
SetBkMode.GDI32(?,00000001), ref: 001698E9
GetStockObject.GDI32(00000005), ref: 001698F1

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 9311caa5f2984efbdd564183020a999d9506f759f0d93f20172307b240d09d65
Instruction ID: f1722d5a1ba19309466168c2a872140b64be357324a72ec4c6b13aadee6ecc6e
Opcode Fuzzy Hash: 9311caa5f2984efbdd564183020a999d9506f759f0d93f20172307b240d09d65
Instruction Fuzzy Hash: 13E06D31244680EADB215BB8EC49BEC3F61EB52736F048219F6FA584E1C37146919F10

Function 001B162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 001B1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,001B11D9), ref: 001B163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001B11D9), ref: 001B1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,001B11D9), ref: 001B164F

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 3377e023383d48d1d342e99c16e6af86068c9f8d71506c7b86d0552998e938a4
Instruction ID: 33f6b75816b53be5178a26024104fdc0deba0cd74ffa4cfa1b1d376cc20cebad
Opcode Fuzzy Hash: 3377e023383d48d1d342e99c16e6af86068c9f8d71506c7b86d0552998e938a4
Instruction Fuzzy Hash: 4DE08C36602211EBD7201FE4AE4DB8F3B7CAF547A2F158808F646CD080E7748482CBA0

Function 001AD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 001AD858
GetDC.USER32(00000000), ref: 001AD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001AD882
ReleaseDC.USER32(?), ref: 001AD8A3

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5fb5b6bfd601eb650301cc96854fc33d617fcd7509aa6ed00e3b556a6c8c8354
Instruction ID: 7683996b03be14eb6ceeeea1f4397ea6a63391dbab261563ee672c46cb96b620
Opcode Fuzzy Hash: 5fb5b6bfd601eb650301cc96854fc33d617fcd7509aa6ed00e3b556a6c8c8354
Instruction Fuzzy Hash: A0E01AB8800204DFCF419FE4DC4866EBBB1FB48311F118409F816EB750C7384992AF80

Function 001AD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 001AD86C
GetDC.USER32(00000000), ref: 001AD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001AD882
ReleaseDC.USER32(?), ref: 001AD8A3

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: cdb952920b08dc96e74f81485cc875cd62b1e671e0f2a6c62b62080191c4e14d
Instruction ID: f3099c2a4f126f4b9dd719f364912cdb8a383943c695fdb07094f23851925816
Opcode Fuzzy Hash: cdb952920b08dc96e74f81485cc875cd62b1e671e0f2a6c62b62080191c4e14d
Instruction Fuzzy Hash: 93E012B4C00200EFCF40AFE4DC8866EBBB1BB48311B108409F81AEB750CB385982AF80

Function 001C4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00157620: _wcslen.LIBCMT ref: 00157625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 001C4ED4

Strings

LPT, xrefs: 001C4DFB
*, xrefs: 001C4E10

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: c319d55ccaeb7f48b554d85419f6e052113d76f1db0f933227abd84636ca405c
Instruction ID: bdccafb17d88d01912f4a739ad55d167985cfabd5715cb449c37e88f0b010c42
Opcode Fuzzy Hash: c319d55ccaeb7f48b554d85419f6e052113d76f1db0f933227abd84636ca405c
Instruction Fuzzy Hash: C0917B74A042049FDB14DF58C494FAABBF1AF64304F19809DE84A9F3A2D735EE85CB90

Function 0017E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0017E30D

Strings

pow, xrefs: 0017E2E5, 0017E302

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: dfb2ac2cefe9cf1b69acf60ad67a50187fc8e5ce56ec6775b6a127ff2838a1e4
Instruction ID: 2f0414df68c60a4ff7c075c712b45b4cffc0499d565ba97df42b11ec6c2f4479
Opcode Fuzzy Hash: dfb2ac2cefe9cf1b69acf60ad67a50187fc8e5ce56ec6775b6a127ff2838a1e4
Instruction Fuzzy Hash: D7513761A0C20296CB157724C94137A3BF4AB54740F34CED8E09A832E9EB35CED1DF46

Function 001D7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(001A569E,00000000,?,001ECC08,?,00000000,00000000), ref: 001D78DD

Part of subcall function 00156B57: _wcslen.LIBCMT ref: 00156B6A

CharUpperBuffW.USER32(001A569E,00000000,?,001ECC08,00000000,?,00000000,00000000), ref: 001D783B

Strings

<s!, xrefs: 001D77C8

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s!
API String ID: 3544283678-2588671885
Opcode ID: 7562ab348ee128848e2fe448dcb70dcfc890891c6d2c909c6c6a65bac611d086
Instruction ID: cfb542ee91d69d090ebdbc296683a686a1a9c4ac2d9e7329ceb66f450223305a
Opcode Fuzzy Hash: 7562ab348ee128848e2fe448dcb70dcfc890891c6d2c909c6c6a65bac611d086
Instruction Fuzzy Hash: 31615E72914118EACF08EBA4DCA1DFDB374BF28305B844526E952AB191FF345A49DBA0

Function 0016E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0016E1B1

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 9574b104a20e4939a1bbffa454db2f51c8352f6b9520a6ff3fd0df1306f4e243
Instruction ID: ed717b7508800db7161ba330e6c7f9fe28721e13770d2ac604829c4ad372bcc3
Opcode Fuzzy Hash: 9574b104a20e4939a1bbffa454db2f51c8352f6b9520a6ff3fd0df1306f4e243
Instruction Fuzzy Hash: C6516479900346DFDB19DFA8C891ABA7BE5EF26310F244119FC919B2C0DB349D56CBA0

Function 0016F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0016F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0016F2BB

Strings

@, xrefs: 0016F2AF

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c534eb53d9e58a9fb66d7975ec36ffa046410414bcd45b34734075e68dc9858d
Instruction ID: 33689b676728d23587d7eb94e7320452bb124306e9654ff776032c993270386d
Opcode Fuzzy Hash: c534eb53d9e58a9fb66d7975ec36ffa046410414bcd45b34734075e68dc9858d
Instruction Fuzzy Hash: D0515771408744DBD320AF14EC86BAFBBF8FB95301F81884DF5E945196EB708529CBA6

Function 001D5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001D57E0
_wcslen.LIBCMT ref: 001D57EC

Strings

CALLARGARRAY, xrefs: 001D57E6, 001D57EB

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 6b0a62f9f30b3377cf44eb843fb8e362f8d0ab55a9b5f66afad1f95afe60ed89
Instruction ID: 40d88311a2f2c46150392b930240810290fb121da801e6ccbc20ad61cddd0d03
Opcode Fuzzy Hash: 6b0a62f9f30b3377cf44eb843fb8e362f8d0ab55a9b5f66afad1f95afe60ed89
Instruction Fuzzy Hash: 2041A031A00209DFCF14DFA9C8818AEBBB6FF69314F10416AE515AB391E7349D81CB90

Function 001CD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001CD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001CD13A

Strings

|, xrefs: 001CD10B

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: f7dab63c0d5173c1dae1e644be3577186482e02f7b2f5395021a4b3b01ad5c8a
Instruction ID: 6b5276cf5ae7eddfe0135b784975c3185359ca399ad6f7b1fcc47067c3dbb471
Opcode Fuzzy Hash: f7dab63c0d5173c1dae1e644be3577186482e02f7b2f5395021a4b3b01ad5c8a
Instruction Fuzzy Hash: 3531F871D01109ABCF15EFA4DC85AEE7BB9FF24300F040069F815AA161D731AA46CB90

Function 001E356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 001E3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 001E365C

Strings

static, xrefs: 001E35BC

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 7901795866f451fdb803683cab74f91c1b4083d6d6fed057a44af844c2de7ec9
Instruction ID: 5d4caa35a8b88a046845d9e54ab0ff147b3ea99aeab738c1e5c243c3dfea4321
Opcode Fuzzy Hash: 7901795866f451fdb803683cab74f91c1b4083d6d6fed057a44af844c2de7ec9
Instruction Fuzzy Hash: D5319E71100A44AEDB109F79DC85EFF73A9FF98760F009619F8A597280DB31AD92D760

Function 001E4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 001E461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001E4634

Strings

', xrefs: 001E458E

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 7bd75c92e11d5884fc8a1643aa7ee902166f9d95ee5799a480e48513329f153a
Instruction ID: b6af29e73e9d958a400243e0d7b8fb02bc79c841d8dd976b76299186daa41de7
Opcode Fuzzy Hash: 7bd75c92e11d5884fc8a1643aa7ee902166f9d95ee5799a480e48513329f153a
Instruction Fuzzy Hash: A8311874A01759AFDB14CFAAC990BDEBBB5FF49300F14406AE905AB391D770A941CF90

Function 001E31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001E327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001E3287

Strings

Combobox, xrefs: 001E3249

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 31a78315ff84cecf971bcfecaf67ee4313a099e4dff3df5d7238d289c3a7603f
Instruction ID: 61100ad46a4a10fd3b6e7eb7e646975c4849a0d3ace3081b4f5205181d7079c5
Opcode Fuzzy Hash: 31a78315ff84cecf971bcfecaf67ee4313a099e4dff3df5d7238d289c3a7603f
Instruction Fuzzy Hash: E411D3712005497FEF259E95DC88EAF37AAEB943A4F100124FA6897290D7319D518760

Function 001E3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0015600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0015604C
Part of subcall function 0015600E: GetStockObject.GDI32(00000011), ref: 00156060
Part of subcall function 0015600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0015606A

GetWindowRect.USER32(00000000,?), ref: 001E377A
GetSysColor.USER32(00000012), ref: 001E3794

Strings

static, xrefs: 001E3757

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 8969c02eae11e5655311b9cdea95ac4e08c5541c350db938185578f0e17809ba
Instruction ID: 6d1e68bef1bee937c8da48ced31df3082846c384055d3c08ef292048b5d043fe
Opcode Fuzzy Hash: 8969c02eae11e5655311b9cdea95ac4e08c5541c350db938185578f0e17809ba
Instruction Fuzzy Hash: A51159B2610649AFDF10DFA8CC49EEE7BB8EB08314F004514F965E3250D735E8519B90

Function 001CCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001CCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 001CCDA6

Strings

<local>, xrefs: 001CCD66

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d580bc24f97e4b7c508f3d516a5a667eca1366e0a2cbcabb5e4752a965975b2b
Instruction ID: 5686faf0816ecec6b156ccb49130a1defc4513729ce8fb24d54205a304b25af1
Opcode Fuzzy Hash: d580bc24f97e4b7c508f3d516a5a667eca1366e0a2cbcabb5e4752a965975b2b
Instruction Fuzzy Hash: 7B11A77151563179D7284AA69C45FF7BE68EB227A4F014229F10E86080D770DC41D6F0

Function 001E3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 001E34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001E34BA

Strings

edit, xrefs: 001E348F

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: ddd86182a93c3f961c219c02b1f293b0538c88fddaac7c062cb46e43173933a9
Instruction ID: 2e7d0b47a85f17fb0774e0d2f9c84b999c345e4860e683ef4b12bf70871a6acc
Opcode Fuzzy Hash: ddd86182a93c3f961c219c02b1f293b0538c88fddaac7c062cb46e43173933a9
Instruction Fuzzy Hash: C111BF71100588AFEB124E65DC88AEF376AEF15374F504324F970971D0C731DD929B50

Function 001B6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

CharUpperBuffW.USER32(?,?,?), ref: 001B6CB6
_wcslen.LIBCMT ref: 001B6CC2

Strings

STOP, xrefs: 001B6CBC, 001B6CC1

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 91e21ff79c13f1c8dd8489e4829a7e8263a8e7334f4f2a885158b862f756da5d
Instruction ID: 088d5af765dcec3b54c479d4915abd5065ead735fc314680db80a61a70d89301
Opcode Fuzzy Hash: 91e21ff79c13f1c8dd8489e4829a7e8263a8e7334f4f2a885158b862f756da5d
Instruction Fuzzy Hash: C9010032A00526CBCB20AFFDDC918FF7BB5EB75710B400928E8A29A190EB39D844C650

Function 001B1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001B3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 001B1D4C

Strings

ListBox, xrefs: 001B1D16
ComboBox, xrefs: 001B1CEB

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 74b53c938c029581be1a84848072f13b5fa4ab1d1f2cd46f30c2dee73a0db3c1
Instruction ID: 26c9c6cb9fa50c3f74982c47d15f2773704bcaea59804380c91aeeb32e56d0d6
Opcode Fuzzy Hash: 74b53c938c029581be1a84848072f13b5fa4ab1d1f2cd46f30c2dee73a0db3c1
Instruction Fuzzy Hash: A101B575601218EB8B08EBE4CC658FE77A9EB66350B54091AF8325B2C1EB30591D8661

Function 001B1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001B3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 001B1C46

Strings

ListBox, xrefs: 001B1C10
ComboBox, xrefs: 001B1BE5

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3bb148c78f0c87b09cfd7c153e5a91d5d2fdbe4c2b6aa68ebd58a94232f74a9b
Instruction ID: 5ea96a0037408dc0ed90dbceca7d08da76d8461c0481d1c237844bb828086abf
Opcode Fuzzy Hash: 3bb148c78f0c87b09cfd7c153e5a91d5d2fdbe4c2b6aa68ebd58a94232f74a9b
Instruction Fuzzy Hash: 8B01A775681108F6CB08EB90D9629FF7BA89F66340F540019E8166B282EB209F1C96B2

Function 001B1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001B3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 001B1CC8

Strings

ListBox, xrefs: 001B1C94
ComboBox, xrefs: 001B1C69

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ccd710074e37496f2a0f6bd8c0bca5809918a0e0541a350b01f0907db9488ae3
Instruction ID: 012fd4836a20d8bef3b827731a48e106013bbdb927a636c28b6f9f120157e76a
Opcode Fuzzy Hash: ccd710074e37496f2a0f6bd8c0bca5809918a0e0541a350b01f0907db9488ae3
Instruction Fuzzy Hash: DF01DB75640118F7CB04E794CA11AFF7BE89B21340F950015FC1177281EB209F1DD672

Function 001B1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159CB3: _wcslen.LIBCMT ref: 00159CBD

Part of subcall function 001B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001B3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 001B1DD3

Strings

ListBox, xrefs: 001B1DA0
ComboBox, xrefs: 001B1D75

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 32c25943b9c8436c5e63264a2fe75d7f5b0835e516f35f9d6854d7c95d2df20c
Instruction ID: 4161c3fa190f5b91a2bf0ea86fbe66ca092153f56646e78bcda81bfffc5da089
Opcode Fuzzy Hash: 32c25943b9c8436c5e63264a2fe75d7f5b0835e516f35f9d6854d7c95d2df20c
Instruction Fuzzy Hash: 85F0A975A51218F6D704E7E4CC55AFF77B8AB22350F940915F8326B2C5DB605A1C8261

Function 001E8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00223018,0022305C), ref: 001E81BF
CloseHandle.KERNEL32 ref: 001E81D1

Strings

\0", xrefs: 001E818A

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0"
API String ID: 3712363035-2428598737
Opcode ID: 1bff300e1ea180ed003e92d528049b2b12445c057370e66278166a4e0005ba96
Instruction ID: 2e40c9d42616838996e9349ade22f8f60ebb21a2413dba469735e65309b06851
Opcode Fuzzy Hash: 1bff300e1ea180ed003e92d528049b2b12445c057370e66278166a4e0005ba96
Instruction Fuzzy Hash: 4FF054B1640310BEE220A7A17C49F773A5CEB04751F004420FB0CD91A1D6798B5282F8

Function 001D747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001D7493
_wcslen.LIBCMT ref: 001D74B9

Strings

3, 3, 16, 1, xrefs: 001D7483

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 37e5b951eaf50a0f7e34debccb44a6d083bad41796b274c1f5f677d0e314550e
Instruction ID: d8b50a33ec9524ef5f72f4682182af5cf1362b8ede9105729b58e483d968d7e4
Opcode Fuzzy Hash: 37e5b951eaf50a0f7e34debccb44a6d083bad41796b274c1f5f677d0e314550e
Instruction Fuzzy Hash: BCE02B0221422012923212799CC197F56D9CFE9750710182BFA89C23A6FB948D9193A1

Function 001B0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001B0B23

Strings

AutoIt, xrefs: 001B0B17
Error allocating memory., xrefs: 001B0B1C

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 029917665cce401ae319c3c1c26bfaa872fb9a2678ad59bb868353d3340284b4
Instruction ID: b522ed2816181fe1fa2d91f2f4153885c91ced9d734d2f32e260b30b0f567427
Opcode Fuzzy Hash: 029917665cce401ae319c3c1c26bfaa872fb9a2678ad59bb868353d3340284b4
Instruction Fuzzy Hash: A0E0D8312843586BD21437957C03FCD7A848F19F25F20046AFB58994C38BE228A106E9

Function 00170D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0016F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00170D71,?,?,?,0015100A), ref: 0016F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0015100A), ref: 00170D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0015100A), ref: 00170D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00170D7F

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 767e5cc5c23725548c49dff5bea51ddb57795cea1c013934f6da556870e0da2c
Instruction ID: 1ecf9bbbeb07ae63412d363eacc90ded98c658e9610da08c45e8baff5d4faca0
Opcode Fuzzy Hash: 767e5cc5c23725548c49dff5bea51ddb57795cea1c013934f6da556870e0da2c
Instruction Fuzzy Hash: 8FE06D742007818FD3319FF9E94874A7BF1EB18744F00896DE89ACA651EBB0E4868B91

Function 0016E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0016E3D5

Strings

8%", xrefs: 0016E3CA
0%", xrefs: 0016E3B5

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%"$8%"
API String ID: 1385522511-3788803983
Opcode ID: 6327a739b9408ed411e364921c35949e7bdaf554e2ddf2df6ae23832d3ba7f46
Instruction ID: d619edb0e12bfc303d7e298afb9e4b9e67d831740ed940c398311992d8affb43
Opcode Fuzzy Hash: 6327a739b9408ed411e364921c35949e7bdaf554e2ddf2df6ae23832d3ba7f46
Instruction Fuzzy Hash: 06E02636810A20FBCA1D975CFE58A8833A1BF18320BD0A268E4028F2D19B3628768644

Function 001C3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 001C302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 001C3044

Strings

aut, xrefs: 001C3038

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3b53b76085a8121009f87d432492e180ab02e1e188c50920210ee1498e0725ba
Instruction ID: 410ae1509be0c9d4359b6a238850cdf57ee8c7a2887503001cb1b80c720b5ab3
Opcode Fuzzy Hash: 3b53b76085a8121009f87d432492e180ab02e1e188c50920210ee1498e0725ba
Instruction Fuzzy Hash: 39D05E7290032867DA20A7E4AC4EFCF7A7CEB05751F0002A1BB55E6091DAB099C5CAD0

Function 001AD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001AD220

Strings

%.3d, xrefs: 001AD22B
X64, xrefs: 001AD2A8

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: d6bf02c5a1160943136f4d806227390f76325b91ebe04c43ee7aa0d744fe9dcf
Instruction ID: afa0c6353f5650894943ad4bd79274df72d4393c238372b3ec9a200c448fb1b7
Opcode Fuzzy Hash: d6bf02c5a1160943136f4d806227390f76325b91ebe04c43ee7aa0d744fe9dcf
Instruction Fuzzy Hash: 53D012A9C08509E9CB5496D0EC45AFAB3BCBB1A341F528453FD07D1440D724C559E762

Function 001E2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001E232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 001E233F

Part of subcall function 001BE97B: Sleep.KERNEL32 ref: 001BE9F3

Strings

Shell_TrayWnd, xrefs: 001E2325

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 275442bdb2a280d108cfc0e3a6e60c82fe630e62714b18a446bcfef7a5d163c1
Instruction ID: e57750987ea396fa223f91b42a4b32ff763b37ced48f95a6e1ec01358bf0cdca
Opcode Fuzzy Hash: 275442bdb2a280d108cfc0e3a6e60c82fe630e62714b18a446bcfef7a5d163c1
Instruction Fuzzy Hash: 8DD0C9363D5350BAE664A7B0DC4FFCBAA549B14B14F044916B645AA1D0CAA0A8868A94

Function 001E2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001E236C
PostMessageW.USER32(00000000), ref: 001E2373

Part of subcall function 001BE97B: Sleep.KERNEL32 ref: 001BE9F3

Strings

Shell_TrayWnd, xrefs: 001E2365

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 321cce5beb37f7be9e2b8b97eee6bdf3a7ac1638d31bfed4f6d3a05e24bb8448
Instruction ID: 1ce3e3fba8c06d0c8eee10c6219fc57525596253e0336a4c8d25ef29e51092d7
Opcode Fuzzy Hash: 321cce5beb37f7be9e2b8b97eee6bdf3a7ac1638d31bfed4f6d3a05e24bb8448
Instruction Fuzzy Hash: 0DD0C9363D1350BAE664A7B0DC4FFCBA6549B15B14F044916B645AA1D0CAA0B8868A94

Function 0018BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0018BE93
GetLastError.KERNEL32 ref: 0018BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0018BEFC

Memory Dump Source

Source File: 00000000.00000002.2091873613.0000000000151000.00000020.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true

Associated: 00000000.00000002.2091454193.0000000000150000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.00000000001EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092269152.0000000000212000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092537945.000000000021C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2092571512.0000000000224000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 86a543253729a9f11f06067ed46e88676fa99409e99810c2cc6f6b52f8227fc4
Instruction ID: c697e2697df75e250a9df4318d00ec40c141fbbd990f4732ec6e1962e281821f
Opcode Fuzzy Hash: 86a543253729a9f11f06067ed46e88676fa99409e99810c2cc6f6b52f8227fc4
Instruction Fuzzy Hash: 5D41FA35608206EFCF25AFA4CCC4ABA7BB5EF42310F154169FA595B1A1DB308E41CF50

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2245063416.000001A38A07D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2245063416.000001A38A07D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2245063416.000001A38A07D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2245063416.000001A38A07D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2245063416.000001A38A07D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2157367057.000001A38774F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2155808934.000001A38644A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2305132305.000007A792803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2305132305.000007A792803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/erZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2304864264.0000392F3A603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2305132305.000007A792803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ,"://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2304864264.0000392F3A603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ,"://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2304864264.0000392F3A603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ,"www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2242431930.000001A38DFBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2293482734.000001A3861E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2222390562.000001A38DBE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222774916.000001A38DBC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242468804.000001A38DBC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2222390562.000001A38DBE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222774916.000001A38DBC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242468804.000001A38DBC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2242431930.000001A38DFBB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2251665166.000001A387274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2293482734.000001A3861E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2215898726.000001A38D7E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2215898726.000001A38D7E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2304991468.000016B7FE203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2222390562.000001A38DBE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222774916.000001A38DBC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2305132305.000007A792803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2305132305.000007A792803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2222390562.000001A38DBE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222774916.000001A38DBC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2305132305.000007A792803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2105148160.000001A3882D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269963007.000001A3882D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2105148160.000001A3882D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269963007.000001A3882D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2105148160.000001A3882D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2270425453.000001A387FB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269963007.000001A3882D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000002.3290744122.000001DF5E00C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000002.3290744122.000001DF5E00C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.twitter.com (Twitter)
Source: firefox.exe, 00000012.00000002.3290744122.000001DF5E00C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2305132305.000007A792803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2215148519.000001A38F1F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263276601.000001A38F1F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2232757527.000001A38F1F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2242431930.000001A38DFBB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2305132305.000007A792803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2251665166.000001A387274000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2305132305.000007A792803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304864264.0000392F3A603000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2305132305.000007A792803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2293482734.000001A3861E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2245638535.000001A38868D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267836731.000001A388697000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2305132305.000007A792803000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2251665166.000001A387254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.5:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49837 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ff3da076-613a-4f5d-a016-a306fc15f415.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ff3da076-613a-4f5d-a016-a306fc15f415.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre