Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1544377
MD5:	3913a8f8f34fb2bad2930574dc7b5247
SHA1:	49bfccfd45486046fb07fd4471311e1be47189e7
SHA256:	d4989cc1c285c328598aebaa67ba110c2f43080e3dd71ef6181d30aa40fe44c3
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 3008 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3913A8F8F34FB2BAD2930574DC7B5247)

taskkill.exe (PID: 3656 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6496 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4320 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4432 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5144 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6412 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4196 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7136 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3720 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2188 -parentBuildID 20230927232528 -prefsHandle 2112 -prefMapHandle 2104 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a382715-91ea-4e9d-adff-b013096cc28b} 7136 "\\.\pipe\gecko-crash-server-pipe.7136" 1fac5b6fd10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7348 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3948 -parentBuildID 20230927232528 -prefsHandle 3936 -prefMapHandle 4044 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db0bfcc8-6b1d-4cd7-9e24-cfb931e11c14} 7136 "\\.\pipe\gecko-crash-server-pipe.7136" 1fad8122a10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7884 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3028 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5024 -prefMapHandle 5020 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79db0927-a12c-44b4-a85f-ce543a5c6f85} 7136 "\\.\pipe\gecko-crash-server-pipe.7136" 1faddffcf10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2086932396.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
00000000.00000003.2086692897.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 3008	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00A4EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00A4EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A4ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00A4ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00A4EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A3AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00A3AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A69576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00A69576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2023811488.0000000000A92000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_64179ebb-b
Source: file.exe, 00000000.00000000.2023811488.0000000000A92000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3b7b20e0-7
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b13732eb-a
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_aeda0674-8

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000027A1FCE67B7 NtQuerySystemInformation,		17_2_0000027A1FCE67B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000027A203636F2 NtQuerySystemInformation,		17_2_0000027A203636F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A3D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00A3D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A31201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00A31201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A3E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00A3E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A42046	0_2_00A42046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D8060	0_2_009D8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A38298	0_2_00A38298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A0E4FF	0_2_00A0E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A0676B	0_2_00A0676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A64873	0_2_00A64873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FCAA0	0_2_009FCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009DCAF0	0_2_009DCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009ECC39	0_2_009ECC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A06DD9	0_2_00A06DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D91C0	0_2_009D91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009EB119	0_2_009EB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F1394	0_2_009F1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F1706	0_2_009F1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F781B	0_2_009F781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F19B0	0_2_009F19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D7920	0_2_009D7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E997D	0_2_009E997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F7A4A	0_2_009F7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F7CA7	0_2_009F7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F1C77	0_2_009F1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A09EEE	0_2_00A09EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5BE44	0_2_00A5BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F1F32	0_2_009F1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000027A1FCE67B7	17_2_0000027A1FCE67B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000027A203636F2	17_2_0000027A203636F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000027A20363732	17_2_0000027A20363732
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000027A20363E1C	17_2_0000027A20363E1C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 009D9CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 009F0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 009EF9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@68/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A437B5 GetLastError,FormatMessageW,

0_2_00A437B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A310BF AdjustTokenPrivileges,CloseHandle,		0_2_00A310BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A316C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00A316C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A451CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00A451CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A3D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00A3D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A4648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00A4648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009D42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_009D42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2270851699.000001FAD86A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234183376.000001FADF404000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2234183376.000001FADF404000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2234183376.000001FADF404000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2234183376.000001FADF404000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2232454442.000001FADF4FC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.2234183376.000001FADF404000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2234183376.000001FADF404000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2234183376.000001FADF404000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2234183376.000001FADF404000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2234183376.000001FADF404000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2188 -parentBuildID 20230927232528 -prefsHandle 2112 -prefMapHandle 2104 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a382715-91ea-4e9d-adff-b013096cc28b} 7136 "\\.\pipe\gecko-crash-server-pipe.7136" 1fac5b6fd10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3948 -parentBuildID 20230927232528 -prefsHandle 3936 -prefMapHandle 4044 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db0bfcc8-6b1d-4cd7-9e24-cfb931e11c14} 7136 "\\.\pipe\gecko-crash-server-pipe.7136" 1fad8122a10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3028 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5024 -prefMapHandle 5020 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79db0927-a12c-44b4-a85f-ce543a5c6f85} 7136 "\\.\pipe\gecko-crash-server-pipe.7136" 1faddffcf10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2188 -parentBuildID 20230927232528 -prefsHandle 2112 -prefMapHandle 2104 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a382715-91ea-4e9d-adff-b013096cc28b} 7136 "\\.\pipe\gecko-crash-server-pipe.7136" 1fac5b6fd10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3948 -parentBuildID 20230927232528 -prefsHandle 3936 -prefMapHandle 4044 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db0bfcc8-6b1d-4cd7-9e24-cfb931e11c14} 7136 "\\.\pipe\gecko-crash-server-pipe.7136" 1fad8122a10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3028 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5024 -prefMapHandle 5020 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79db0927-a12c-44b4-a85f-ce543a5c6f85} 7136 "\\.\pipe\gecko-crash-server-pipe.7136" 1faddffcf10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2192553882.000001FAE1741000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2191585480.000001FAD59A0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192686154.000001FAD59A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2194278306.000001FAD59A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2191585480.000001FAD59A0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192686154.000001FAD59A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2192553882.000001FAE1741000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2194278306.000001FAD59A1000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009D42DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009F0A76 push ecx; ret

0_2_009F0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009EF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_009EF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A61C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00A61C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96203

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000027A1FCE67B7 rdtsc

17_2_0000027A1FCE67B7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A3DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A0C2A2 FindFirstFileExW,	0_2_00A0C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A468EE FindFirstFileW,FindClose,	0_2_00A468EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A4698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00A4698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A3D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A3D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A49642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A49642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A4979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A4979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A49B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00A49B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A45C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00A45C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009D42DE

Source: firefox.exe, 00000012.00000002.3281899625.000001E9801CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@%e
Source: firefox.exe, 00000010.00000002.3289500951.0000028186240000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3283008248.000002818585A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3281896910.0000027A1F97A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3289030437.0000027A20260000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3287856581.000001E980650000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3284221877.0000028185C15000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3289500951.0000028186240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: firefox.exe, 00000010.00000002.3283008248.000002818585A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: firefox.exe, 00000010.00000002.3289500951.0000028186240000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3289030437.0000027A20260000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000010.00000002.3289500951.0000028186240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000027A1FCE67B7 rdtsc

17_2_0000027A1FCE67B7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A4EAA2 BlockInput,

0_2_00A4EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A02622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00A02622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009D42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009F4CE8 mov eax, dword ptr fs:[00000030h]

0_2_009F4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A30B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00A30B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A02622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A02622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009F083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F09D5 SetUnhandledExceptionFilter,	0_2_009F09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_009F0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00A31201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A12BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A12BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A3B226 SendInput,keybd_event,

0_2_00A3B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A522DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00A522DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00A30B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A31663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00A31663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009F0698 cpuid

0_2_009F0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A48195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00A48195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A2D27A GetUserNameW,

0_2_00A2D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A0B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00A0B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009D42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2086932396.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2086692897.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3008, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2086932396.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2086692897.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3008, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A51204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00A51204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A51806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00A51806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.251.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.65	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.65.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.186.142	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	172.217.16.206	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.129.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.3283675207.000001E9805D6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2295559091.000001FAD7B3D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2232708950.000001FADF4D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2285063662.000001FAD7AFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271561142.000001FAD7AF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2249521252.000001FAD7AF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2091330106.000001FADDB2E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089240937.000001FADDB30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2208965993.000001FADDB30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3285898387.0000028185ECB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3284458947.0000027A1FDF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3288172231.000001E980803000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.3285898387.0000028185E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3284458947.0000027A1FD86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3283675207.000001E98058F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2101889964.000001FAD7267000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2293042688.000001FADDE3B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.comP	firefox.exe, 0000000E.00000003.2248207100.000001FAD82E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2282446194.000001FAD82E7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2270015884.000001FADD977000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.2103096715.000001FADDF80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2101889964.000001FAD7267000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2070634601.000001FAD5D53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2070470847.000001FAD5D38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2070055830.000001FAD5B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2070791224.000001FAD5D6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2070994704.000001FAD5D8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2070281562.000001FAD5D1D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2234183376.000001FADF404000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2278777986.000001FADD93A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2293386358.000001FADDA58000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2070634601.000001FAD5D53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2205921058.000001FAD780E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2070470847.000001FAD5D38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2070055830.000001FAD5B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2070791224.000001FAD5D6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2101889964.000001FAD7267000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2070994704.000001FAD5D8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2070281562.000001FAD5D1D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.2242790312.000001FAD9464000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://mozilla.org/0	firefox.exe, 0000000E.00000003.2272519379.00002448C4B03000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2070634601.000001FAD5D53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2070470847.000001FAD5D38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2070055830.000001FAD5B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2070791224.000001FAD5D6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2070281562.000001FAD5D1D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2264277847.000001FADFF53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2282988660.000001FAD81CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242790312.000001FAD9448000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=utf-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.2101729992.000001FAD728A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2279337949.000001FAD86E4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/Can	firefox.exe, 0000000E.00000003.2101889964.000001FAD7267000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.instagram.com/	firefox.exe, 0000000E.00000003.2110120504.000001FAD7880000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2111758957.000001FAD788D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2111997367.000001FAD788C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2110678772.000001FAD788D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2https:	firefox.exe, 0000000E.00000003.2101889964.000001FAD7267000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2239741030.000001FADDC59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2293042688.000001FADDE3B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=https://accounts.google.coUw	firefox.exe, 00000011.00000002.3283459320.0000027A1FCC0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.2257621291.000001FAD2AC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2258968946.000001FAD2AD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 00000012.00000002.3283675207.000001E980503000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2123921792.000001FAD778A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2124077336.000001FAD779D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2119441309.000001FAD778B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2293042688.000001FADDE3B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2284679034.000001FAD7BA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2295559091.000001FAD7BA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2249045365.000001FAD7BA1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.3283675207.000001E9805D6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2123921792.000001FAD778A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2119441309.000001FAD778B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2190639201.000001FAD7572000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2279337949.000001FAD8686000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2233793493.000001FADF49B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3285898387.0000028185ECB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3284458947.0000027A1FDF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3288172231.000001E980803000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3285898387.0000028185ECB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3284458947.0000027A1FDF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3288172231.000001E980803000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2296646853.000001FAD76CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278777986.000001FADD93A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278777986.000001FADD95A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2293965944.000001FADD95A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2293965944.000001FADD93C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3284458947.0000027A1FD12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3283675207.000001E980513000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2293042688.000001FADDE3B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3287378957.000001E980640000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.2239018826.000001FADDFCD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2278777986.000001FADD93A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2101729992.000001FAD727B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.2123921792.000001FAD778A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2279061375.000001FAD8932000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2103096715.000001FADDF6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2188943280.000001FAD68CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2188943280.000001FAD68D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2077604690.000001FAD61EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2279196403.000001FAD8929000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2077555290.000001FAD6E30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2290277410.000001FAD6137000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2180569919.000001FAD61D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2077990727.000001FAD6E46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2115701601.000001FAD6F9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2290095891.000001FAD61E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2077718362.000001FAD6E2D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267802085.000001FAD68DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2190639201.000001FAD755E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2079448116.000001FAD61C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2078441361.000001FAD61E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2190639201.000001FAD7572000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2190639201.000001FAD7580000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2072409013.000001FAD5D63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2190639201.000001FAD756D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2242790312.000001FAD9464000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://youtube.com/	firefox.exe, 0000000E.00000003.2268908284.000001FADDC35000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2239741030.000001FADDC30000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2242790312.000001FAD9464000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2240760398.000001FADDAE6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2270851699.000001FAD86E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2240760398.000001FADDAA3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2270851699.000001FAD86E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2240760398.000001FADDAA3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2101729992.000001FAD727B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2091330106.000001FADDB2E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2208965993.000001FADDB30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2293386358.000001FADDA5D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2293042688.000001FADDE4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2254972299.000001FADDE4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2101889964.000001FAD7267000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267695194.000001FADDE4F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2293386358.000001FADDA5D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2239018826.000001FADDFD8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2213709277.000001FAD2D73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.2123921792.000001FAD778A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2297540278.000001FAD7680000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3283671849.0000028185900000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3283113700.0000027A1FC50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3283317372.000001E9803B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2245904731.000001FAD85DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2093821199.000001FAD85DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2279856001.000001FAD85DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2104235827.000001FAD85DF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2123921792.000001FAD778A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2124077336.000001FAD779D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2119441309.000001FAD778B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2213709277.000001FAD2D73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257621291.000001FAD2AC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2258968946.000001FAD2AD2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2284679034.000001FAD7BA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2295559091.000001FAD7BA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2249045365.000001FAD7BA1000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.250.186.142	youtube.com	United States	15169	GOOGLEUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544377
Start date and time:	2024-10-29 10:47:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@68/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 94% Number of executed functions: 39 Number of non-executed functions: 320
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 54.185.230.140, 52.11.191.138, 35.160.212.113, 172.217.18.10, 172.217.16.202, 2.18.121.79, 2.18.121.73, 142.250.185.238, 2.22.61.56, 2.22.61.59, 142.250.186.110
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 7136 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
05:48:03	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.65.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	ppc.elf	Get hash	malicious	Unknown	Browse	48.145.200.199
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	48.203.148.3
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	48.249.90.27
	arm5.elf	Get hash	malicious	Unknown	Browse	33.128.163.124
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	48.197.170.140
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	57.222.125.157
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	34.28.143.154
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	56.242.13.237
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	34.11.101.224
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	48.143.185.36
FASTLYUS	https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	https://clairecarpenter.com/wp-includes/css/pbcmc.php?7112797967704b536932307466507a4373757943784b5463314a54533470796b784f7a456e567130725553383750315338317430677031416341#Email#	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	https://inspireelectricale.za.com/u78dq	Get hash	malicious	HTMLPhisher	Browse	151.101.65.229
	https://filerit.com/pi-240924.ps1	Get hash	malicious	Unknown	Browse	185.199.111.133
	http://solidgdrive.glitch.me/gdry/edix/list.html?e=Dale.Hardy@40kwc.com	Get hash	malicious	Unknown	Browse	199.232.196.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
ATGS-MMD-ASUS	ppc.elf	Get hash	malicious	Unknown	Browse	48.145.200.199
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	48.203.148.3
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	48.249.90.27
	arm5.elf	Get hash	malicious	Unknown	Browse	33.128.163.124
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	48.197.170.140
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	57.222.125.157
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	34.28.143.154
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	56.242.13.237
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	34.11.101.224
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	48.143.185.36

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ec1ca031-ec86-4970-a4ac-40b9ed9a89e3.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.17178330624929
Encrypted:	false
SSDEEP:	192:FbKMi3D0cbhbVbTbfbRbObtbyEl7nsrpJA6wnSrDtTkd/S2:pPNcNhnzFSJMrEjnSrDhkd/z
MD5:	9684A3FBE76B18597294933CB0EF9274
SHA1:	EEF480BFF7C2ED0176A6C5F286235F30328F1617
SHA-256:	21DC897FF38C4A53A20CC0E42AAAD7092BB7DF51350E19C63463FF0446763AA9
SHA-512:	93197DFCF5DA0B4093FC6C998C72241BAC640141FD7C55B95720AE7A32F2B8EE3EDB75BAE88A882D56C7AEAFFE7327AB75138B34E30E8C44A5B6258AB007AA74
Malicious:	false
Preview:	{"type":"uninstall","id":"ec1ca031-ec86-4970-a4ac-40b9ed9a89e3","creationDate":"2024-10-29T11:14:00.794Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ec1ca031-ec86-4970-a4ac-40b9ed9a89e3.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.17178330624929
Encrypted:	false
SSDEEP:	192:FbKMi3D0cbhbVbTbfbRbObtbyEl7nsrpJA6wnSrDtTkd/S2:pPNcNhnzFSJMrEjnSrDhkd/z
MD5:	9684A3FBE76B18597294933CB0EF9274
SHA1:	EEF480BFF7C2ED0176A6C5F286235F30328F1617
SHA-256:	21DC897FF38C4A53A20CC0E42AAAD7092BB7DF51350E19C63463FF0446763AA9
SHA-512:	93197DFCF5DA0B4093FC6C998C72241BAC640141FD7C55B95720AE7A32F2B8EE3EDB75BAE88A882D56C7AEAFFE7327AB75138B34E30E8C44A5B6258AB007AA74
Malicious:	false
Preview:	{"type":"uninstall","id":"ec1ca031-ec86-4970-a4ac-40b9ed9a89e3","creationDate":"2024-10-29T11:14:00.794Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9238125874513
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNzo9Ixeh:8S+OVPUFRbOdwNIOdYpjvY1Q6LDu8P
MD5:	668FD1D3EFA56C6ACABADA2CB4711AF5
SHA1:	22198C5FDDF7097A9433FEF049A6E04F95E01D2F
SHA-256:	6BF6DF02A25863DAB0F1145817A4C0A332E13AC746173899E88DB00129E218CA
SHA-512:	8F5D8C3300E37B4706262A940BFEB469893E874CF71BEECC1274906D9509E5E0EC74A28910464C1B425E13680530D262BB03E9B34824664B8D2D1C7C8E2284D1
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9238125874513
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNzo9Ixeh:8S+OVPUFRbOdwNIOdYpjvY1Q6LDu8P
MD5:	668FD1D3EFA56C6ACABADA2CB4711AF5
SHA1:	22198C5FDDF7097A9433FEF049A6E04F95E01D2F
SHA-256:	6BF6DF02A25863DAB0F1145817A4C0A332E13AC746173899E88DB00129E218CA
SHA-512:	8F5D8C3300E37B4706262A940BFEB469893E874CF71BEECC1274906D9509E5E0EC74A28910464C1B425E13680530D262BB03E9B34824664B8D2D1C7C8E2284D1
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07335892763187632
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiVo:DLhesh7Owd4+ji
MD5:	F7065D63B894260AD966A8E83A6FC521
SHA1:	186C580558A7ACBEB4CA225BAE6C628BA08C36F3
SHA-256:	EE29945B32745558736FED6DD5A99438D01CF458CD07F1BE780953A4E6987D8E
SHA-512:	66498AF1FFF749C7F6A709CB7368BA84ECFCF647A6E80C0C725574FBFA4E13863F48597C35E8ADC45EC9F1A4781822A73D70EF29847D15224BC2A1D6E50DC4CD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035577876577226504
Encrypted:	false
SSDEEP:	3:GtlstFmha8WKushXy3+Sl1lstFmha8WKushXy3+ttT89//alEl:GtWtkgf1styxl1Wtkgf1styE89XuM
MD5:	AA12B942E27FF34A14B893CC4C8C7F95
SHA1:	C9DEAAA577DF20C8F133DE0112D3265EED4583C7
SHA-256:	9DB142EF4F5C957FAE87545C9887053F4B101042A195E54CB272173B48F20316
SHA-512:	E8EDBBE234DD0A08493C6A0D7815634A694F567F2B644F09BDCF9C90DAECA7E4B7E8D75EA4817D9A044703635415CAE8C4AD20DDA69C6E2492EDCCA2131F352E
Malicious:	false
Preview:	..-.......................5[kV...dN.KI.X..W.[..-.......................5[kV...dN.KI.X..W.[........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03979032813089825
Encrypted:	false
SSDEEP:	3:Ol1okdKu9/ltwuxUdWl8rEXsxdwhml8XW3R2:KyW1x3bxUEl8dMhm93w
MD5:	8E80650D4A28C62709A0C12DEDB1069F
SHA1:	ECC59C20342B402CB987CEBBB53FD7D19A92DF2C
SHA-256:	FFB250C522C544854235AAA0FFEE08B8BBE1DD4621CA805058B4F64F25628D07
SHA-512:	F2D5302B28592830C616361627131823619C72FA3E5C19DEBCA64D6A46D13138163CD1402C4F3A9F5F48D097E27C24357C94ED5827D9EF9285C981BD5E050129
Malicious:	false
Preview:	7....-.............dN.K.d...l.$...........dN.K....Vk[5................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	modified
Size (bytes):	13187
Entropy (8bit):	5.475155069418923
Encrypted:	false
SSDEEP:	192:inPOeRnLYbBp6FJ0aX+Z6SEXK9WN7B5RHWNBw8dOSl:gDekJUA8SJHEwV0
MD5:	49466B727CEC9809CA0F0960057A7ED1
SHA1:	AB74A160DF2D1FA73D75D58C638A27FF64EB5296
SHA-256:	460C133E12B2FDDA3FAD2CFFFD764C7155002EB048EC9936220E35AA66978AE3
SHA-512:	62361CD6D84ABB169FDBFFF61E877F64D3045E7B7CA7C3071BAD801DF15FD5F4F6DB76B7E75AD158B1204A86FD06C196BCBA4603C9D77F36F5A7251F58E7F9C0
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730200411);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730200411);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730200411);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173020

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.475155069418923
Encrypted:	false
SSDEEP:	192:inPOeRnLYbBp6FJ0aX+Z6SEXK9WN7B5RHWNBw8dOSl:gDekJUA8SJHEwV0
MD5:	49466B727CEC9809CA0F0960057A7ED1
SHA1:	AB74A160DF2D1FA73D75D58C638A27FF64EB5296
SHA-256:	460C133E12B2FDDA3FAD2CFFFD764C7155002EB048EC9936220E35AA66978AE3
SHA-512:	62361CD6D84ABB169FDBFFF61E877F64D3045E7B7CA7C3071BAD801DF15FD5F4F6DB76B7E75AD158B1204A86FD06C196BCBA4603C9D77F36F5A7251F58E7F9C0
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730200411);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730200411);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730200411);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173020

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.342473966546461
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMPLXnIrkn/pnxQwRcWT5sKmgb05B3eHVpjO+WamhujJwO2c0TiVmg:GUpOxhPPBnRcoegA3erjxW4Jwc3zBtBv
MD5:	05AF208E49B760E34E868DFCBCFF1562
SHA1:	B5D21469D3BCD436D4B7B4F8AE5F55A02189AE7B
SHA-256:	62ED94F54F7393650A1AB61083069836DE03D7381E7EB4BD538147771E822878
SHA-512:	40C828D452C171D81BE94938E3F3A00DC71F7ADBF7C260A744FE14228679014214824077B24B2B414BF8D52651F02927167A7B8F3752CC3F880A6864507EF12C
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{f7abff99-4bdf-409d-b635-90906a0f5d19}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730200417116,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..Q38006...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..eexpiry....383924,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.342473966546461
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMPLXnIrkn/pnxQwRcWT5sKmgb05B3eHVpjO+WamhujJwO2c0TiVmg:GUpOxhPPBnRcoegA3erjxW4Jwc3zBtBv
MD5:	05AF208E49B760E34E868DFCBCFF1562
SHA1:	B5D21469D3BCD436D4B7B4F8AE5F55A02189AE7B
SHA-256:	62ED94F54F7393650A1AB61083069836DE03D7381E7EB4BD538147771E822878
SHA-512:	40C828D452C171D81BE94938E3F3A00DC71F7ADBF7C260A744FE14228679014214824077B24B2B414BF8D52651F02927167A7B8F3752CC3F880A6864507EF12C
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{f7abff99-4bdf-409d-b635-90906a0f5d19}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730200417116,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..Q38006...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..eexpiry....383924,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.342473966546461
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMPLXnIrkn/pnxQwRcWT5sKmgb05B3eHVpjO+WamhujJwO2c0TiVmg:GUpOxhPPBnRcoegA3erjxW4Jwc3zBtBv
MD5:	05AF208E49B760E34E868DFCBCFF1562
SHA1:	B5D21469D3BCD436D4B7B4F8AE5F55A02189AE7B
SHA-256:	62ED94F54F7393650A1AB61083069836DE03D7381E7EB4BD538147771E822878
SHA-512:	40C828D452C171D81BE94938E3F3A00DC71F7ADBF7C260A744FE14228679014214824077B24B2B414BF8D52651F02927167A7B8F3752CC3F880A6864507EF12C
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{f7abff99-4bdf-409d-b635-90906a0f5d19}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730200417116,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..Q38006...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..eexpiry....383924,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.02955875352809
Encrypted:	false
SSDEEP:	96:ycVwMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:FTEr5NX0z3DhRe
MD5:	E2FA9CEB6C2022FE7BF965B9F6062767
SHA1:	85D46CA8EA8D4090C6E631D7D30BB49A63DC47A7
SHA-256:	8B21F4049EBC0233C6CC124AA8438C75A7788471DC2FE06636A82482A6D0B695
SHA-512:	39A4789343104F79CAD6130E9833791D253C506772F3997E168F071CA0FA27A46BE2B1DEABEC99C44F1C79232C8E24B8E20D03FAA9D004197FF6CC675252298E
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-29T11:13:16.952Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.02955875352809
Encrypted:	false
SSDEEP:	96:ycVwMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:FTEr5NX0z3DhRe
MD5:	E2FA9CEB6C2022FE7BF965B9F6062767
SHA1:	85D46CA8EA8D4090C6E631D7D30BB49A63DC47A7
SHA-256:	8B21F4049EBC0233C6CC124AA8438C75A7788471DC2FE06636A82482A6D0B695
SHA-512:	39A4789343104F79CAD6130E9833791D253C506772F3997E168F071CA0FA27A46BE2B1DEABEC99C44F1C79232C8E24B8E20D03FAA9D004197FF6CC675252298E
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-29T11:13:16.952Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584691494261143
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	3913a8f8f34fb2bad2930574dc7b5247
SHA1:	49bfccfd45486046fb07fd4471311e1be47189e7
SHA256:	d4989cc1c285c328598aebaa67ba110c2f43080e3dd71ef6181d30aa40fe44c3
SHA512:	d668ab4e40799c7a8742f8abdb982a2e48ec6beaf79b357dda91c5516b67bb01582f3cad7067969c29cdf0d72fd64e8776918352a7326e0401c5ca24051ddefd
SSDEEP:	12288:cqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Tn:cqDEvCTbMWu7rQYlBQcBiT6rprG8abn
TLSH:	3E159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6720AD8F [Tue Oct 29 09:40:31 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F8BD0B31023h
jmp 00007F8BD0B3092Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8BD0B30B0Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8BD0B30ADAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F8BD0B336CDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F8BD0B33718h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F8BD0B33701h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	f08e29a09f2baffb66599840b86a6de4	False	0.3156398338607595	data	5.373724392822833	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 10:48:00.655639887 CET	49710	443	192.168.2.5	35.190.72.216
Oct 29, 2024 10:48:00.655672073 CET	443	49710	35.190.72.216	192.168.2.5
Oct 29, 2024 10:48:00.657286882 CET	49710	443	192.168.2.5	35.190.72.216
Oct 29, 2024 10:48:00.664088964 CET	49710	443	192.168.2.5	35.190.72.216
Oct 29, 2024 10:48:00.664107084 CET	443	49710	35.190.72.216	192.168.2.5
Oct 29, 2024 10:48:01.278045893 CET	443	49710	35.190.72.216	192.168.2.5
Oct 29, 2024 10:48:01.278184891 CET	49710	443	192.168.2.5	35.190.72.216
Oct 29, 2024 10:48:01.285485983 CET	49710	443	192.168.2.5	35.190.72.216
Oct 29, 2024 10:48:01.285491943 CET	443	49710	35.190.72.216	192.168.2.5
Oct 29, 2024 10:48:01.285595894 CET	49710	443	192.168.2.5	35.190.72.216
Oct 29, 2024 10:48:01.285703897 CET	443	49710	35.190.72.216	192.168.2.5
Oct 29, 2024 10:48:01.286614895 CET	49710	443	192.168.2.5	35.190.72.216
Oct 29, 2024 10:48:01.343419075 CET	49711	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:01.343502045 CET	443	49711	142.250.186.142	192.168.2.5
Oct 29, 2024 10:48:01.343739986 CET	49711	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:01.345130920 CET	49711	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:01.345170975 CET	443	49711	142.250.186.142	192.168.2.5
Oct 29, 2024 10:48:01.411664963 CET	49712	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:01.411725998 CET	443	49712	142.250.186.142	192.168.2.5
Oct 29, 2024 10:48:01.412106991 CET	49712	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:01.413521051 CET	49712	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:01.413537979 CET	443	49712	142.250.186.142	192.168.2.5
Oct 29, 2024 10:48:01.418572903 CET	49713	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:01.423945904 CET	80	49713	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:01.429260015 CET	49713	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:01.431924105 CET	49713	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:01.437217951 CET	80	49713	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:01.754947901 CET	49714	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:01.754990101 CET	443	49714	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:01.756531954 CET	49714	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:01.757972956 CET	49714	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:01.757988930 CET	443	49714	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:01.786668062 CET	49715	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:01.786705971 CET	443	49715	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:01.788362980 CET	49715	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:01.789796114 CET	49715	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:01.789810896 CET	443	49715	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:01.800946951 CET	49716	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:01.801019907 CET	443	49716	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:01.801534891 CET	49716	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:01.801713943 CET	49716	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:01.801745892 CET	443	49716	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:02.019180059 CET	49717	443	192.168.2.5	34.160.144.191
Oct 29, 2024 10:48:02.019222021 CET	443	49717	34.160.144.191	192.168.2.5
Oct 29, 2024 10:48:02.019501925 CET	49717	443	192.168.2.5	34.160.144.191
Oct 29, 2024 10:48:02.019596100 CET	49717	443	192.168.2.5	34.160.144.191
Oct 29, 2024 10:48:02.019603014 CET	443	49717	34.160.144.191	192.168.2.5
Oct 29, 2024 10:48:02.033862114 CET	80	49713	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:02.086749077 CET	49713	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:02.210355997 CET	443	49711	142.250.186.142	192.168.2.5
Oct 29, 2024 10:48:02.211047888 CET	443	49711	142.250.186.142	192.168.2.5
Oct 29, 2024 10:48:02.215332985 CET	443	49711	142.250.186.142	192.168.2.5
Oct 29, 2024 10:48:02.228142023 CET	49711	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:02.232630014 CET	49711	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:02.232664108 CET	443	49711	142.250.186.142	192.168.2.5
Oct 29, 2024 10:48:02.232747078 CET	49711	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:02.232899904 CET	443	49711	142.250.186.142	192.168.2.5
Oct 29, 2024 10:48:02.233114958 CET	49711	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:02.260826111 CET	443	49712	142.250.186.142	192.168.2.5
Oct 29, 2024 10:48:02.261789083 CET	443	49712	142.250.186.142	192.168.2.5
Oct 29, 2024 10:48:02.267333031 CET	443	49712	142.250.186.142	192.168.2.5
Oct 29, 2024 10:48:02.277709961 CET	49712	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:02.286752939 CET	49712	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:02.286789894 CET	443	49712	142.250.186.142	192.168.2.5
Oct 29, 2024 10:48:02.286870956 CET	49712	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:02.286967993 CET	443	49712	142.250.186.142	192.168.2.5
Oct 29, 2024 10:48:02.300293922 CET	49712	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:02.314275980 CET	49719	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:02.314378977 CET	443	49719	142.250.186.142	192.168.2.5
Oct 29, 2024 10:48:02.320555925 CET	49719	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:02.350270033 CET	49719	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:02.350325108 CET	443	49719	142.250.186.142	192.168.2.5
Oct 29, 2024 10:48:02.378113985 CET	443	49714	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:02.381087065 CET	49714	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:02.411438942 CET	443	49715	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:02.421447992 CET	49715	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:02.425267935 CET	443	49716	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:02.431348085 CET	443	49716	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:02.441477060 CET	49716	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:02.492201090 CET	49716	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:02.492212057 CET	443	49716	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:02.493493080 CET	443	49716	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:02.494129896 CET	49714	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:02.494157076 CET	443	49714	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:02.494236946 CET	49714	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:02.494362116 CET	443	49714	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:02.494597912 CET	49720	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:02.494642973 CET	443	49720	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:02.501913071 CET	49714	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:02.501940966 CET	49720	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:02.509793043 CET	49720	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:02.509808064 CET	443	49720	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:02.511204004 CET	49715	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:02.511245012 CET	443	49715	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:02.511449099 CET	443	49715	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:02.513561010 CET	49715	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:02.513582945 CET	443	49715	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:02.514364958 CET	49721	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:02.514406919 CET	443	49721	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:02.516607046 CET	49716	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:02.516670942 CET	49716	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:02.516905069 CET	443	49716	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:02.517024994 CET	49715	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:02.517044067 CET	49716	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:02.517056942 CET	49721	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:02.518332958 CET	49721	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:02.518349886 CET	443	49721	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:02.645123959 CET	443	49717	34.160.144.191	192.168.2.5
Oct 29, 2024 10:48:02.645241976 CET	49717	443	192.168.2.5	34.160.144.191
Oct 29, 2024 10:48:02.648108959 CET	49717	443	192.168.2.5	34.160.144.191
Oct 29, 2024 10:48:02.648118973 CET	443	49717	34.160.144.191	192.168.2.5
Oct 29, 2024 10:48:02.648526907 CET	443	49717	34.160.144.191	192.168.2.5
Oct 29, 2024 10:48:02.650218010 CET	49717	443	192.168.2.5	34.160.144.191
Oct 29, 2024 10:48:02.650285959 CET	49717	443	192.168.2.5	34.160.144.191
Oct 29, 2024 10:48:02.650412083 CET	443	49717	34.160.144.191	192.168.2.5
Oct 29, 2024 10:48:02.650486946 CET	49717	443	192.168.2.5	34.160.144.191
Oct 29, 2024 10:48:02.677205086 CET	49713	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:02.683231115 CET	80	49713	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:02.684082031 CET	49713	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:03.071535110 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:03.077020884 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:03.077240944 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:03.077357054 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:03.082597017 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:03.082640886 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:03.087944984 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:03.090951920 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:03.091073036 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:03.096357107 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:03.131426096 CET	443	49720	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:03.131441116 CET	443	49720	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:03.132225037 CET	49720	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:03.133708954 CET	443	49721	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:03.135272026 CET	49721	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:03.139439106 CET	49720	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:03.139451027 CET	443	49720	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:03.139511108 CET	49720	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:03.139625072 CET	443	49720	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:03.139627934 CET	49721	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:03.139652014 CET	443	49721	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:03.139691114 CET	49721	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:03.139837027 CET	443	49721	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:03.140647888 CET	49720	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:03.140661001 CET	49721	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:03.222457886 CET	443	49719	142.250.186.142	192.168.2.5
Oct 29, 2024 10:48:03.222542048 CET	49719	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:03.223181009 CET	443	49719	142.250.186.142	192.168.2.5
Oct 29, 2024 10:48:03.224443913 CET	49725	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:03.224483967 CET	443	49725	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:03.227787018 CET	49719	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:03.227821112 CET	49725	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:03.230556965 CET	49725	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:03.230571985 CET	443	49725	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:03.231827021 CET	49719	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:03.231842041 CET	443	49719	142.250.186.142	192.168.2.5
Oct 29, 2024 10:48:03.231904030 CET	49719	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:03.232028008 CET	443	49719	142.250.186.142	192.168.2.5
Oct 29, 2024 10:48:03.232225895 CET	49719	443	192.168.2.5	142.250.186.142
Oct 29, 2024 10:48:03.676486969 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:03.696161985 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:03.724314928 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:03.739934921 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:03.829390049 CET	443	49725	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:03.829822063 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:03.835320950 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:03.840264082 CET	49725	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:03.843976974 CET	49725	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:03.843986988 CET	443	49725	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:03.844078064 CET	49725	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:03.844266891 CET	443	49725	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:03.844512939 CET	49726	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:03.844563007 CET	443	49726	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:03.845777988 CET	49725	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:03.845839024 CET	49726	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:03.847337961 CET	49726	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:03.847367048 CET	443	49726	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:03.956490040 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:04.009538889 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:04.203401089 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:04.208889961 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:04.330543041 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:04.383955956 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:04.445864916 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:04.682076931 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:04.683871984 CET	443	49726	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:04.686983109 CET	49726	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:04.691821098 CET	49726	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:04.691845894 CET	443	49726	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:04.691915989 CET	49726	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:04.692060947 CET	443	49726	34.117.188.166	192.168.2.5
Oct 29, 2024 10:48:04.692888021 CET	49726	443	192.168.2.5	34.117.188.166
Oct 29, 2024 10:48:04.801872015 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:04.847620964 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:04.973784924 CET	49728	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:04.973865986 CET	443	49728	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:04.985820055 CET	49728	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:04.999692917 CET	49728	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:04.999736071 CET	443	49728	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:05.000788927 CET	49729	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:05.000818968 CET	443	49729	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:05.001349926 CET	49729	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:05.002250910 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:05.003659964 CET	49729	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:05.003686905 CET	443	49729	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:05.007618904 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:05.082552910 CET	49730	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:05.082592010 CET	443	49730	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:05.100883961 CET	49730	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:05.101402998 CET	49730	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:05.101427078 CET	443	49730	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:05.129388094 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:05.181658030 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:05.618761063 CET	443	49729	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:05.618865013 CET	49729	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:05.622443914 CET	443	49728	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:05.622458935 CET	443	49728	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:05.622761965 CET	49728	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:05.625967979 CET	49729	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:05.625988007 CET	443	49729	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:05.626091957 CET	49729	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:05.626353025 CET	443	49729	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:05.626806021 CET	49729	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:05.627482891 CET	49728	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:05.627494097 CET	443	49728	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:05.627540112 CET	49728	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:05.627686024 CET	443	49728	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:05.627748013 CET	49728	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:05.948048115 CET	443	49730	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:05.948086023 CET	443	49730	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:05.948136091 CET	49730	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:05.951029062 CET	49730	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:05.951046944 CET	443	49730	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:05.951467991 CET	443	49730	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:05.953979015 CET	49730	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:05.954040051 CET	49730	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:05.954174042 CET	443	49730	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:05.954293013 CET	49730	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:09.657066107 CET	49732	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:09.657152891 CET	443	49732	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:09.659698963 CET	49732	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:09.661108017 CET	49732	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:09.661142111 CET	443	49732	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:09.730509996 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:09.731307983 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:09.736104965 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:09.736690044 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:09.742425919 CET	49733	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:09.742448092 CET	443	49733	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:09.746490955 CET	49733	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:09.747876883 CET	49733	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:09.747890949 CET	443	49733	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:09.856359959 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:09.858221054 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:09.904715061 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:09.904786110 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:10.310046911 CET	443	49732	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:10.321722984 CET	49732	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:10.372375011 CET	443	49733	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:10.372448921 CET	49733	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:10.415796041 CET	49733	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:10.415812969 CET	443	49733	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:10.415834904 CET	49732	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:10.415854931 CET	443	49732	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:10.415981054 CET	49733	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:10.416023970 CET	443	49733	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:10.416089058 CET	49732	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:10.416114092 CET	443	49732	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:10.416244030 CET	49733	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:10.416261911 CET	49732	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:15.358824968 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:15.364373922 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:15.484333038 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:15.532071114 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:16.154577017 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:16.156481028 CET	49745	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:16.156539917 CET	443	49745	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:16.160118103 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:16.165566921 CET	49745	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:16.166719913 CET	49745	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:16.166738987 CET	443	49745	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:16.281830072 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:16.334430933 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:16.966665030 CET	443	49745	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:16.966706038 CET	443	49745	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:16.966764927 CET	49745	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:17.532377958 CET	49745	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:17.532411098 CET	443	49745	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:17.532541037 CET	49745	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:17.532982111 CET	443	49745	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:17.533056021 CET	49745	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:18.227984905 CET	49760	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:18.228008032 CET	443	49760	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:18.228497028 CET	49761	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:18.228504896 CET	443	49761	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:18.229486942 CET	49762	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:18.229496956 CET	443	49762	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:18.230865955 CET	49763	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:18.230875015 CET	443	49763	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:18.231497049 CET	49760	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:18.231519938 CET	49761	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:18.231519938 CET	49763	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:18.231535912 CET	49762	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:18.232983112 CET	49760	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:18.232997894 CET	443	49760	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:18.233124971 CET	49761	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:18.233136892 CET	443	49761	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:18.234405041 CET	49762	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:18.234415054 CET	443	49762	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:18.234472036 CET	49763	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:18.234486103 CET	443	49763	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:18.842538118 CET	443	49760	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:18.847641945 CET	443	49761	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:18.850785971 CET	49761	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:18.850785971 CET	49760	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:18.858475924 CET	443	49763	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:18.862571955 CET	49763	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:18.865995884 CET	49761	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:18.866019011 CET	443	49761	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:18.866883993 CET	443	49761	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:18.868231058 CET	49763	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:18.868244886 CET	443	49763	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:18.868556023 CET	443	49763	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:18.873115063 CET	49760	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:18.873142958 CET	443	49760	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:18.873316050 CET	49760	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:18.873467922 CET	49761	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:18.873495102 CET	49763	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:18.873595953 CET	49761	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:18.873867989 CET	443	49760	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:18.873933077 CET	49760	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:18.873944044 CET	443	49761	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:18.873987913 CET	443	49763	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:18.874001026 CET	49761	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:18.874056101 CET	49763	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:18.901812077 CET	443	49762	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:18.901931047 CET	49762	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:19.684870005 CET	49763	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:19.684906960 CET	443	49763	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:19.689754009 CET	49762	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:19.689773083 CET	443	49762	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:19.689836979 CET	49762	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:19.690103054 CET	443	49762	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:19.690176964 CET	49762	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:20.076210976 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:20.081615925 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:20.126985073 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:20.132406950 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:20.201761007 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:20.253806114 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:20.261610031 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:20.315004110 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:21.186553001 CET	49779	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:21.186645985 CET	443	49779	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:21.188195944 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:21.193643093 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:21.194458008 CET	49779	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:21.194581032 CET	49779	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:21.194602013 CET	443	49779	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:21.203032970 CET	49780	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:21.203073025 CET	443	49780	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:21.205132008 CET	49780	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:21.206623077 CET	49780	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:21.206635952 CET	443	49780	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:21.209162951 CET	49782	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:21.209182024 CET	443	49782	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:21.209558010 CET	49782	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:21.209728956 CET	49782	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:21.209743023 CET	443	49782	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:21.314140081 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:21.364810944 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:21.823604107 CET	443	49780	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:21.823690891 CET	49780	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:21.824320078 CET	443	49782	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:21.824390888 CET	49782	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:21.845804930 CET	443	49779	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:21.845840931 CET	443	49779	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:21.845904112 CET	49779	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:21.897645950 CET	49779	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:22.350332975 CET	49779	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:22.350413084 CET	443	49779	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:22.351398945 CET	443	49779	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:22.353888988 CET	49782	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:22.353929996 CET	443	49782	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:22.354857922 CET	443	49782	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:22.363277912 CET	49780	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:22.363301992 CET	443	49780	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:22.363496065 CET	49780	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:22.363609076 CET	49779	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:22.363679886 CET	49779	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:22.363981962 CET	443	49780	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:22.364068985 CET	443	49779	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:22.366631031 CET	49782	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:22.366705894 CET	49782	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:22.366949081 CET	49780	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:22.366964102 CET	49779	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:22.367114067 CET	443	49782	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:22.367613077 CET	49782	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:22.369496107 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:22.372086048 CET	49789	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:22.372116089 CET	443	49789	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:22.372344017 CET	49789	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:22.373676062 CET	49789	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:22.373687983 CET	443	49789	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:22.375001907 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:22.496347904 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:22.500150919 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:22.505583048 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:22.537085056 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:22.625710011 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:22.668626070 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:22.990206957 CET	443	49789	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:22.991816998 CET	49789	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:22.996215105 CET	49789	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:22.996222973 CET	443	49789	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:22.996318102 CET	49789	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:22.996421099 CET	443	49789	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:22.999829054 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:23.000746965 CET	49789	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:23.004189014 CET	49794	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:23.004256010 CET	443	49794	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:23.005345106 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:23.009347916 CET	49794	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:23.010827065 CET	49794	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:23.010850906 CET	443	49794	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:23.127233028 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:23.130997896 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:23.136609077 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:23.170044899 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:23.256845951 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:23.301598072 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:23.627142906 CET	443	49794	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:23.629926920 CET	49794	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:23.635137081 CET	49794	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:23.635159016 CET	443	49794	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:23.635255098 CET	49794	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:23.635432959 CET	443	49794	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:23.636631966 CET	49794	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:23.638559103 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:23.644041061 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:23.765319109 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:23.768625975 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:23.774219036 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:23.825217962 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:23.895507097 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:23.941190004 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:30.431509972 CET	49836	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:30.431582928 CET	443	49836	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:30.435620070 CET	49836	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:30.435966969 CET	49836	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:30.435991049 CET	443	49836	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:30.456768036 CET	49837	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:30.456790924 CET	443	49837	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:30.457367897 CET	49838	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:30.457463026 CET	443	49838	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:30.458857059 CET	49837	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:30.459722042 CET	49838	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:30.460244894 CET	49837	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:30.460254908 CET	443	49837	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:30.460355043 CET	49838	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:30.460391045 CET	443	49838	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:30.467958927 CET	49839	443	192.168.2.5	35.190.72.216
Oct 29, 2024 10:48:30.467995882 CET	443	49839	35.190.72.216	192.168.2.5
Oct 29, 2024 10:48:30.468730927 CET	49839	443	192.168.2.5	35.190.72.216
Oct 29, 2024 10:48:30.470206022 CET	49839	443	192.168.2.5	35.190.72.216
Oct 29, 2024 10:48:30.470252991 CET	443	49839	35.190.72.216	192.168.2.5
Oct 29, 2024 10:48:30.470985889 CET	49840	443	192.168.2.5	151.101.65.91
Oct 29, 2024 10:48:30.471008062 CET	443	49840	151.101.65.91	192.168.2.5
Oct 29, 2024 10:48:30.471606970 CET	49840	443	192.168.2.5	151.101.65.91
Oct 29, 2024 10:48:30.471729040 CET	49840	443	192.168.2.5	151.101.65.91
Oct 29, 2024 10:48:30.471740007 CET	443	49840	151.101.65.91	192.168.2.5
Oct 29, 2024 10:48:30.491687059 CET	49841	443	192.168.2.5	35.201.103.21
Oct 29, 2024 10:48:30.491756916 CET	443	49841	35.201.103.21	192.168.2.5
Oct 29, 2024 10:48:30.492214918 CET	49841	443	192.168.2.5	35.201.103.21
Oct 29, 2024 10:48:30.493441105 CET	49841	443	192.168.2.5	35.201.103.21
Oct 29, 2024 10:48:30.493475914 CET	443	49841	35.201.103.21	192.168.2.5
Oct 29, 2024 10:48:31.046588898 CET	443	49836	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.046740055 CET	49836	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.050359011 CET	49836	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.050371885 CET	443	49836	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.050749063 CET	443	49836	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.053355932 CET	49836	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.053553104 CET	443	49836	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.053683043 CET	49836	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.053692102 CET	443	49836	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.060404062 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:31.065727949 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:31.075453997 CET	443	49837	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:31.075531006 CET	49837	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:31.079705954 CET	49837	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:31.079714060 CET	443	49837	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:31.079796076 CET	49837	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:31.079993963 CET	443	49837	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:31.080646038 CET	49837	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:31.082823038 CET	443	49838	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:31.082920074 CET	49838	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:31.085700035 CET	49838	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:31.085711002 CET	443	49838	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:31.086455107 CET	443	49838	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:31.088479996 CET	49838	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:31.088563919 CET	49838	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:31.088849068 CET	443	49838	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:31.090424061 CET	49838	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:31.095568895 CET	443	49839	35.190.72.216	192.168.2.5
Oct 29, 2024 10:48:31.095660925 CET	49839	443	192.168.2.5	35.190.72.216
Oct 29, 2024 10:48:31.096609116 CET	443	49840	151.101.65.91	192.168.2.5
Oct 29, 2024 10:48:31.098118067 CET	49840	443	192.168.2.5	151.101.65.91
Oct 29, 2024 10:48:31.100528002 CET	49840	443	192.168.2.5	151.101.65.91
Oct 29, 2024 10:48:31.100533962 CET	443	49840	151.101.65.91	192.168.2.5
Oct 29, 2024 10:48:31.100918055 CET	443	49840	151.101.65.91	192.168.2.5
Oct 29, 2024 10:48:31.101950884 CET	49839	443	192.168.2.5	35.190.72.216
Oct 29, 2024 10:48:31.101958990 CET	443	49839	35.190.72.216	192.168.2.5
Oct 29, 2024 10:48:31.102044106 CET	49839	443	192.168.2.5	35.190.72.216
Oct 29, 2024 10:48:31.102217913 CET	443	49839	35.190.72.216	192.168.2.5
Oct 29, 2024 10:48:31.102993011 CET	49839	443	192.168.2.5	35.190.72.216
Oct 29, 2024 10:48:31.103600025 CET	49840	443	192.168.2.5	151.101.65.91
Oct 29, 2024 10:48:31.103687048 CET	49840	443	192.168.2.5	151.101.65.91
Oct 29, 2024 10:48:31.103780031 CET	443	49840	151.101.65.91	192.168.2.5
Oct 29, 2024 10:48:31.106940031 CET	49840	443	192.168.2.5	151.101.65.91
Oct 29, 2024 10:48:31.115464926 CET	443	49841	35.201.103.21	192.168.2.5
Oct 29, 2024 10:48:31.115886927 CET	49841	443	192.168.2.5	35.201.103.21
Oct 29, 2024 10:48:31.119791985 CET	49841	443	192.168.2.5	35.201.103.21
Oct 29, 2024 10:48:31.119802952 CET	443	49841	35.201.103.21	192.168.2.5
Oct 29, 2024 10:48:31.119920015 CET	49841	443	192.168.2.5	35.201.103.21
Oct 29, 2024 10:48:31.120060921 CET	443	49841	35.201.103.21	192.168.2.5
Oct 29, 2024 10:48:31.120425940 CET	49847	443	192.168.2.5	35.201.103.21
Oct 29, 2024 10:48:31.120441914 CET	443	49847	35.201.103.21	192.168.2.5
Oct 29, 2024 10:48:31.120498896 CET	49841	443	192.168.2.5	35.201.103.21
Oct 29, 2024 10:48:31.120526075 CET	49847	443	192.168.2.5	35.201.103.21
Oct 29, 2024 10:48:31.121946096 CET	49847	443	192.168.2.5	35.201.103.21
Oct 29, 2024 10:48:31.121953964 CET	443	49847	35.201.103.21	192.168.2.5
Oct 29, 2024 10:48:31.123055935 CET	49848	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.123105049 CET	443	49848	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.123215914 CET	49849	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.123243093 CET	443	49849	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.123330116 CET	49850	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.123339891 CET	443	49850	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.123498917 CET	49849	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.123537064 CET	49848	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.123604059 CET	49850	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.123699903 CET	49848	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.123716116 CET	443	49848	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.123831034 CET	49850	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.123846054 CET	443	49850	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.123903036 CET	49849	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.123917103 CET	443	49849	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.187835932 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:31.190928936 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:31.196376085 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:31.238440990 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:31.263325930 CET	443	49836	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.263395071 CET	49836	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.316458941 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:31.371718884 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:31.746134043 CET	443	49850	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.746629000 CET	443	49849	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.751359940 CET	443	49850	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.754472971 CET	49850	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.754679918 CET	49849	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.758049011 CET	49850	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.758065939 CET	443	49850	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.758392096 CET	443	49850	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.763555050 CET	443	49847	35.201.103.21	192.168.2.5
Oct 29, 2024 10:48:31.763870001 CET	443	49848	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.764564037 CET	49849	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.764579058 CET	443	49849	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.764874935 CET	443	49849	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.764887094 CET	49847	443	192.168.2.5	35.201.103.21
Oct 29, 2024 10:48:31.765115023 CET	49848	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.768788099 CET	49848	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.768852949 CET	443	49848	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.769763947 CET	443	49848	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.773071051 CET	49850	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.773365974 CET	49850	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.773444891 CET	49849	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.773452044 CET	443	49850	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.773519993 CET	49849	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.773617029 CET	443	49849	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.773679018 CET	49847	443	192.168.2.5	35.201.103.21
Oct 29, 2024 10:48:31.773685932 CET	443	49847	35.201.103.21	192.168.2.5
Oct 29, 2024 10:48:31.773731947 CET	49847	443	192.168.2.5	35.201.103.21
Oct 29, 2024 10:48:31.773909092 CET	443	49847	35.201.103.21	192.168.2.5
Oct 29, 2024 10:48:31.774112940 CET	49848	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.774138927 CET	49848	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.774554014 CET	443	49848	35.244.181.201	192.168.2.5
Oct 29, 2024 10:48:31.783601999 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:31.786844015 CET	49849	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.786861897 CET	49847	443	192.168.2.5	35.201.103.21
Oct 29, 2024 10:48:31.786883116 CET	49850	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.786883116 CET	49848	443	192.168.2.5	35.244.181.201
Oct 29, 2024 10:48:31.788988113 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:31.794114113 CET	49853	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:31.794177055 CET	443	49853	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:31.794290066 CET	49853	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:31.794401884 CET	49853	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:31.794436932 CET	443	49853	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:31.910371065 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:31.913203001 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:31.918492079 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:31.956109047 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:32.039447069 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:32.087656021 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:32.407711029 CET	443	49853	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:32.407825947 CET	49853	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:32.412183046 CET	49853	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:32.412216902 CET	443	49853	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:32.412561893 CET	443	49853	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:32.414839029 CET	49853	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:32.414941072 CET	49853	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:32.415041924 CET	443	49853	34.149.100.209	192.168.2.5
Oct 29, 2024 10:48:32.415127039 CET	49853	443	192.168.2.5	34.149.100.209
Oct 29, 2024 10:48:32.417989969 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:32.423358917 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:32.544645071 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:32.547626019 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:32.553040981 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:32.589087009 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:32.673048019 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:32.727160931 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:42.555888891 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:42.687452078 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:42.711910009 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:42.711949110 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:51.448256016 CET	56228	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:51.448282003 CET	443	56228	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:51.448358059 CET	56228	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:51.449754000 CET	56228	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:51.449760914 CET	443	56228	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:52.068454981 CET	443	56228	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:52.068911076 CET	56228	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:52.073267937 CET	56228	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:52.073282003 CET	443	56228	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:52.073370934 CET	56228	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:52.073486090 CET	443	56228	34.107.243.93	192.168.2.5
Oct 29, 2024 10:48:52.074311972 CET	56228	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:48:52.076389074 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:52.081825018 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:52.203171015 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:52.207225084 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:52.212641001 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:52.246480942 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:52.332577944 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:48:52.384427071 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:48:59.857158899 CET	56277	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:59.857264042 CET	443	56277	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:59.857532978 CET	56277	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:59.857691050 CET	56277	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:59.857714891 CET	443	56277	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:59.917505980 CET	56278	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:59.917579889 CET	443	56278	34.120.208.123	192.168.2.5
Oct 29, 2024 10:48:59.920882940 CET	56278	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:59.921138048 CET	56278	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:48:59.921155930 CET	443	56278	34.120.208.123	192.168.2.5
Oct 29, 2024 10:49:00.475182056 CET	443	56277	34.120.208.123	192.168.2.5
Oct 29, 2024 10:49:00.479334116 CET	443	56277	34.120.208.123	192.168.2.5
Oct 29, 2024 10:49:00.491511106 CET	56277	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:49:00.494801998 CET	56277	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:49:00.494827986 CET	443	56277	34.120.208.123	192.168.2.5
Oct 29, 2024 10:49:00.495707989 CET	443	56277	34.120.208.123	192.168.2.5
Oct 29, 2024 10:49:00.497497082 CET	56277	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:49:00.497649908 CET	56277	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:49:00.497895002 CET	443	56277	34.120.208.123	192.168.2.5
Oct 29, 2024 10:49:00.497962952 CET	56277	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:49:00.506921053 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:49:00.512511969 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:49:00.535135031 CET	443	56278	34.120.208.123	192.168.2.5
Oct 29, 2024 10:49:00.535222054 CET	56278	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:49:00.538151026 CET	56278	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:49:00.538167000 CET	443	56278	34.120.208.123	192.168.2.5
Oct 29, 2024 10:49:00.538721085 CET	443	56278	34.120.208.123	192.168.2.5
Oct 29, 2024 10:49:00.540894985 CET	56278	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:49:00.540992975 CET	56278	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:49:00.541192055 CET	443	56278	34.120.208.123	192.168.2.5
Oct 29, 2024 10:49:00.541280985 CET	56278	443	192.168.2.5	34.120.208.123
Oct 29, 2024 10:49:00.634177923 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:49:00.637485027 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:49:00.642884970 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:49:00.692176104 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:49:00.762878895 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:49:00.807908058 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:49:10.637016058 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:49:10.642541885 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:49:10.768506050 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:49:10.774050951 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:49:20.665353060 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:49:20.671118975 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:49:20.781275988 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:49:20.786823988 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:49:30.678194046 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:49:30.684259892 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:49:30.794095993 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:49:30.799544096 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:49:32.526403904 CET	56305	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:49:32.526489019 CET	443	56305	34.107.243.93	192.168.2.5
Oct 29, 2024 10:49:32.526612043 CET	56305	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:49:32.528116941 CET	56305	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:49:32.528148890 CET	443	56305	34.107.243.93	192.168.2.5
Oct 29, 2024 10:49:34.337939978 CET	443	56305	34.107.243.93	192.168.2.5
Oct 29, 2024 10:49:34.338032961 CET	56305	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:49:34.343904018 CET	56305	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:49:34.343952894 CET	443	56305	34.107.243.93	192.168.2.5
Oct 29, 2024 10:49:34.344019890 CET	56305	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:49:34.344186068 CET	443	56305	34.107.243.93	192.168.2.5
Oct 29, 2024 10:49:34.344423056 CET	56305	443	192.168.2.5	34.107.243.93
Oct 29, 2024 10:49:34.346904993 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:49:34.352314949 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:49:34.473778009 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:49:34.477658033 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:49:34.483124018 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:49:34.519575119 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:49:34.603336096 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:49:34.651212931 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:49:44.479830980 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:49:44.486011028 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:49:44.617959023 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:49:44.623580933 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:49:54.493771076 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:49:54.499300957 CET	80	49724	34.107.221.82	192.168.2.5
Oct 29, 2024 10:49:54.625363111 CET	49722	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:49:54.631045103 CET	80	49722	34.107.221.82	192.168.2.5
Oct 29, 2024 10:50:04.517193079 CET	49724	80	192.168.2.5	34.107.221.82
Oct 29, 2024 10:50:04.522644997 CET	80	49724	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 10:48:00.669142962 CET	58249	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:00.676480055 CET	53	58249	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:00.678031921 CET	59908	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:00.685497046 CET	53	59908	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:01.333369970 CET	50373	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:01.333656073 CET	55489	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:01.341510057 CET	53	55489	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:01.342766047 CET	59816	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:01.344136000 CET	58095	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:01.350919008 CET	53	59816	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:01.351397038 CET	63933	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:01.351847887 CET	53	58095	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:01.352284908 CET	52216	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:01.359383106 CET	53	63933	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:01.359477997 CET	53	52216	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:01.745003939 CET	59161	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:01.753235102 CET	53	59161	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:01.755352020 CET	57532	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:01.763205051 CET	53	57532	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:01.765028000 CET	60063	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:01.772960901 CET	53	60063	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:01.774672985 CET	63966	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:01.782898903 CET	53	63966	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:01.787235022 CET	54094	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:01.794488907 CET	53	54094	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:01.800177097 CET	51720	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:01.802725077 CET	58958	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:01.807969093 CET	53	51720	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:01.810024977 CET	53	58958	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:01.822973967 CET	61416	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:01.831820011 CET	53	61416	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:01.998306036 CET	50898	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:02.007425070 CET	53	50898	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:02.019395113 CET	55042	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:02.028095007 CET	53	55042	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:02.031295061 CET	61755	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:02.039056063 CET	53	61755	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:02.675631046 CET	56243	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:02.683247089 CET	53	56243	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:02.684710026 CET	58433	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:02.692759991 CET	53	58433	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:03.063091040 CET	56819	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:03.063878059 CET	61567	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:03.095663071 CET	53	63728	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:04.454868078 CET	56827	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:04.683018923 CET	53	56827	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:04.686810970 CET	61833	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:04.694150925 CET	53	61833	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:04.694736004 CET	63841	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:04.702096939 CET	53	63841	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:05.005348921 CET	59784	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:05.012653112 CET	53	59784	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:05.032758951 CET	58716	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:05.040812969 CET	53	58716	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:09.605150938 CET	50451	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:09.612885952 CET	53	50451	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:09.625556946 CET	63322	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:09.632946014 CET	53	63322	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:09.642380953 CET	58927	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:09.651182890 CET	53	58927	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:09.654896975 CET	56539	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:09.657131910 CET	65373	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:09.662208080 CET	53	56539	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:09.664597988 CET	53	65373	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:09.673873901 CET	56486	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:09.681380987 CET	53	56486	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:09.730643988 CET	65144	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:09.732713938 CET	49996	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:09.740272045 CET	53	49996	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:16.168215036 CET	53457	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:16.175867081 CET	53	53457	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:18.190236092 CET	55797	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:18.198216915 CET	53	55797	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:18.199836016 CET	56938	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:18.208049059 CET	53	56938	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:20.074165106 CET	56618	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:20.074453115 CET	53046	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:20.074918985 CET	58171	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:20.081943035 CET	53	53046	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:20.082051992 CET	53	56618	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:20.082653046 CET	53	58171	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:20.085401058 CET	55043	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:20.085553885 CET	49836	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:20.085947990 CET	58465	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:20.092844963 CET	53	49836	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:20.093008041 CET	53	55043	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:20.093341112 CET	61141	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:20.093714952 CET	62298	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:20.094060898 CET	53	58465	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:20.097512960 CET	54372	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:20.101139069 CET	53	61141	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:20.101425886 CET	53	62298	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:20.101679087 CET	65308	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:20.102109909 CET	50184	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:20.105489969 CET	53	54372	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:20.109273911 CET	53	65308	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:20.109360933 CET	53	50184	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:20.109805107 CET	54386	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:20.110440969 CET	62866	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:20.117976904 CET	53	54386	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:20.118273020 CET	53	62866	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:20.118587971 CET	51467	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:20.118976116 CET	64170	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:20.126614094 CET	53	64170	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:20.127115965 CET	53	51467	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:21.189420938 CET	60113	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:21.196667910 CET	53	60113	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:30.432929993 CET	61146	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:30.440712929 CET	53	61146	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:30.456196070 CET	64343	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:30.458376884 CET	52689	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:30.464839935 CET	53	64343	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:30.465926886 CET	53	52689	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:30.471553087 CET	59535	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:30.478940964 CET	58494	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:30.479533911 CET	53	59535	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:30.482491016 CET	52413	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:30.487884045 CET	53	58494	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:30.490916014 CET	53	52413	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:30.492144108 CET	54716	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:30.499893904 CET	53	54716	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:30.502393961 CET	63614	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:30.511195898 CET	53	63614	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:40.705389023 CET	53	61047	162.159.36.2	192.168.2.5
Oct 29, 2024 10:48:41.349169016 CET	53	50790	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:51.448730946 CET	52929	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:51.456563950 CET	53	52929	1.1.1.1	192.168.2.5
Oct 29, 2024 10:48:59.856621981 CET	60826	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:48:59.865020037 CET	53	60826	1.1.1.1	192.168.2.5
Oct 29, 2024 10:49:32.517143011 CET	62586	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:49:32.524760962 CET	53	62586	1.1.1.1	192.168.2.5
Oct 29, 2024 10:49:32.525633097 CET	61975	53	192.168.2.5	1.1.1.1
Oct 29, 2024 10:49:32.533205032 CET	53	61975	1.1.1.1	192.168.2.5
Oct 29, 2024 10:49:34.347197056 CET	51157	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 29, 2024 10:48:00.669142962 CET	192.168.2.5	1.1.1.1	0xee1	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:00.678031921 CET	192.168.2.5	1.1.1.1	0x7d32	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 10:48:01.333369970 CET	192.168.2.5	1.1.1.1	0x1b75	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:01.333656073 CET	192.168.2.5	1.1.1.1	0x9554	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:01.342766047 CET	192.168.2.5	1.1.1.1	0x6b96	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:01.344136000 CET	192.168.2.5	1.1.1.1	0x9fe7	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:01.351397038 CET	192.168.2.5	1.1.1.1	0xcfb8	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 10:48:01.352284908 CET	192.168.2.5	1.1.1.1	0x24e1	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 29, 2024 10:48:01.745003939 CET	192.168.2.5	1.1.1.1	0x8c55	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:01.755352020 CET	192.168.2.5	1.1.1.1	0x338a	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:01.765028000 CET	192.168.2.5	1.1.1.1	0x8ea	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 10:48:01.774672985 CET	192.168.2.5	1.1.1.1	0x552d	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:01.787235022 CET	192.168.2.5	1.1.1.1	0xe9ab	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:01.800177097 CET	192.168.2.5	1.1.1.1	0x8e02	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 10:48:01.802725077 CET	192.168.2.5	1.1.1.1	0x73ec	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:01.822973967 CET	192.168.2.5	1.1.1.1	0x8e67	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 10:48:01.998306036 CET	192.168.2.5	1.1.1.1	0x4917	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:02.019395113 CET	192.168.2.5	1.1.1.1	0xa3bc	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:02.031295061 CET	192.168.2.5	1.1.1.1	0x2e25	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 10:48:02.675631046 CET	192.168.2.5	1.1.1.1	0x495f	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:02.684710026 CET	192.168.2.5	1.1.1.1	0xe28e	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:03.063091040 CET	192.168.2.5	1.1.1.1	0xb473	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:03.063878059 CET	192.168.2.5	1.1.1.1	0x2365	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:04.454868078 CET	192.168.2.5	1.1.1.1	0x2576	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:04.686810970 CET	192.168.2.5	1.1.1.1	0x55a5	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:04.694736004 CET	192.168.2.5	1.1.1.1	0xf558	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 10:48:05.005348921 CET	192.168.2.5	1.1.1.1	0x6e1a	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:05.032758951 CET	192.168.2.5	1.1.1.1	0xa8cc	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 10:48:09.605150938 CET	192.168.2.5	1.1.1.1	0xf9f5	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:09.625556946 CET	192.168.2.5	1.1.1.1	0x9cb2	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:09.642380953 CET	192.168.2.5	1.1.1.1	0x31a5	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:09.654896975 CET	192.168.2.5	1.1.1.1	0xae61	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 10:48:09.657131910 CET	192.168.2.5	1.1.1.1	0x7209	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:09.673873901 CET	192.168.2.5	1.1.1.1	0x3fe1	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 10:48:09.730643988 CET	192.168.2.5	1.1.1.1	0xcabb	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:09.732713938 CET	192.168.2.5	1.1.1.1	0xd878	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 10:48:16.168215036 CET	192.168.2.5	1.1.1.1	0xe8f7	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 10:48:18.190236092 CET	192.168.2.5	1.1.1.1	0xd25a	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:18.199836016 CET	192.168.2.5	1.1.1.1	0x3db5	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 10:48:20.074165106 CET	192.168.2.5	1.1.1.1	0x874c	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.074453115 CET	192.168.2.5	1.1.1.1	0xcd40	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.074918985 CET	192.168.2.5	1.1.1.1	0x13cc	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.085401058 CET	192.168.2.5	1.1.1.1	0x6db4	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.085553885 CET	192.168.2.5	1.1.1.1	0x4a3b	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.085947990 CET	192.168.2.5	1.1.1.1	0x6b23	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.093341112 CET	192.168.2.5	1.1.1.1	0x83b5	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 29, 2024 10:48:20.093714952 CET	192.168.2.5	1.1.1.1	0xa816	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 29, 2024 10:48:20.097512960 CET	192.168.2.5	1.1.1.1	0x8cb1	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 29, 2024 10:48:20.101679087 CET	192.168.2.5	1.1.1.1	0x5b5b	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.102109909 CET	192.168.2.5	1.1.1.1	0x9382	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.109805107 CET	192.168.2.5	1.1.1.1	0x2301	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.110440969 CET	192.168.2.5	1.1.1.1	0x8dfc	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.118587971 CET	192.168.2.5	1.1.1.1	0x2859	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 29, 2024 10:48:20.118976116 CET	192.168.2.5	1.1.1.1	0x1866	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 29, 2024 10:48:21.189420938 CET	192.168.2.5	1.1.1.1	0xb910	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 10:48:30.432929993 CET	192.168.2.5	1.1.1.1	0xa6c1	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 10:48:30.456196070 CET	192.168.2.5	1.1.1.1	0xc202	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:30.458376884 CET	192.168.2.5	1.1.1.1	0x91be	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 10:48:30.471553087 CET	192.168.2.5	1.1.1.1	0xcd6	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:30.478940964 CET	192.168.2.5	1.1.1.1	0xf955	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:30.482491016 CET	192.168.2.5	1.1.1.1	0x7b04	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 29, 2024 10:48:30.492144108 CET	192.168.2.5	1.1.1.1	0x9ca0	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:30.502393961 CET	192.168.2.5	1.1.1.1	0x12e2	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 10:48:51.448730946 CET	192.168.2.5	1.1.1.1	0xd586	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 10:48:59.856621981 CET	192.168.2.5	1.1.1.1	0xbff	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 10:49:32.517143011 CET	192.168.2.5	1.1.1.1	0xf902	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:49:32.525633097 CET	192.168.2.5	1.1.1.1	0x66f4	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 10:49:34.347197056 CET	192.168.2.5	1.1.1.1	0x149	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 29, 2024 10:48:00.636876106 CET	1.1.1.1	192.168.2.5	0x8b2b	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:00.676480055 CET	1.1.1.1	192.168.2.5	0xee1	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:01.340676069 CET	1.1.1.1	192.168.2.5	0x1b75	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:48:01.340676069 CET	1.1.1.1	192.168.2.5	0x1b75	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:01.341510057 CET	1.1.1.1	192.168.2.5	0x9554	No error (0)	youtube.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:01.350919008 CET	1.1.1.1	192.168.2.5	0x6b96	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:01.351847887 CET	1.1.1.1	192.168.2.5	0x9fe7	No error (0)	youtube.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:01.359383106 CET	1.1.1.1	192.168.2.5	0xcfb8	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 29, 2024 10:48:01.359477997 CET	1.1.1.1	192.168.2.5	0x24e1	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 29, 2024 10:48:01.753235102 CET	1.1.1.1	192.168.2.5	0x8c55	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:01.763205051 CET	1.1.1.1	192.168.2.5	0x338a	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:01.782898903 CET	1.1.1.1	192.168.2.5	0x552d	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:48:01.782898903 CET	1.1.1.1	192.168.2.5	0x552d	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:01.794488907 CET	1.1.1.1	192.168.2.5	0xe9ab	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:01.795156956 CET	1.1.1.1	192.168.2.5	0x72cb	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:48:01.795156956 CET	1.1.1.1	192.168.2.5	0x72cb	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:01.810024977 CET	1.1.1.1	192.168.2.5	0x73ec	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:02.007425070 CET	1.1.1.1	192.168.2.5	0x4917	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:48:02.007425070 CET	1.1.1.1	192.168.2.5	0x4917	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:48:02.007425070 CET	1.1.1.1	192.168.2.5	0x4917	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:02.028095007 CET	1.1.1.1	192.168.2.5	0xa3bc	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:02.039056063 CET	1.1.1.1	192.168.2.5	0x2e25	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 29, 2024 10:48:02.683247089 CET	1.1.1.1	192.168.2.5	0x495f	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:02.692759991 CET	1.1.1.1	192.168.2.5	0xe28e	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:02.692759991 CET	1.1.1.1	192.168.2.5	0xe28e	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:03.070863008 CET	1.1.1.1	192.168.2.5	0xb473	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:48:03.070863008 CET	1.1.1.1	192.168.2.5	0xb473	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:03.073007107 CET	1.1.1.1	192.168.2.5	0x2365	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:48:04.683018923 CET	1.1.1.1	192.168.2.5	0x2576	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:04.694150925 CET	1.1.1.1	192.168.2.5	0x55a5	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:04.978763103 CET	1.1.1.1	192.168.2.5	0x7e64	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:05.012653112 CET	1.1.1.1	192.168.2.5	0x6e1a	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:05.065901995 CET	1.1.1.1	192.168.2.5	0xf6e3	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:48:05.065901995 CET	1.1.1.1	192.168.2.5	0xf6e3	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:09.612885952 CET	1.1.1.1	192.168.2.5	0xf9f5	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:48:09.612885952 CET	1.1.1.1	192.168.2.5	0xf9f5	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:09.632946014 CET	1.1.1.1	192.168.2.5	0x9cb2	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:48:09.632946014 CET	1.1.1.1	192.168.2.5	0x9cb2	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:48:09.632946014 CET	1.1.1.1	192.168.2.5	0x9cb2	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:09.651182890 CET	1.1.1.1	192.168.2.5	0x31a5	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:09.664597988 CET	1.1.1.1	192.168.2.5	0x7209	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:09.738886118 CET	1.1.1.1	192.168.2.5	0xcabb	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:48:09.738886118 CET	1.1.1.1	192.168.2.5	0xcabb	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:09.739919901 CET	1.1.1.1	192.168.2.5	0x6d99	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:18.198216915 CET	1.1.1.1	192.168.2.5	0xd25a	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.081943035 CET	1.1.1.1	192.168.2.5	0xcd40	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:48:20.081943035 CET	1.1.1.1	192.168.2.5	0xcd40	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.082051992 CET	1.1.1.1	192.168.2.5	0x874c	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:48:20.082051992 CET	1.1.1.1	192.168.2.5	0x874c	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.082051992 CET	1.1.1.1	192.168.2.5	0x874c	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.082051992 CET	1.1.1.1	192.168.2.5	0x874c	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.082051992 CET	1.1.1.1	192.168.2.5	0x874c	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.082051992 CET	1.1.1.1	192.168.2.5	0x874c	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.082051992 CET	1.1.1.1	192.168.2.5	0x874c	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.082051992 CET	1.1.1.1	192.168.2.5	0x874c	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.082051992 CET	1.1.1.1	192.168.2.5	0x874c	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.082051992 CET	1.1.1.1	192.168.2.5	0x874c	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.082051992 CET	1.1.1.1	192.168.2.5	0x874c	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.082051992 CET	1.1.1.1	192.168.2.5	0x874c	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.082051992 CET	1.1.1.1	192.168.2.5	0x874c	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.082051992 CET	1.1.1.1	192.168.2.5	0x874c	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.082051992 CET	1.1.1.1	192.168.2.5	0x874c	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.082051992 CET	1.1.1.1	192.168.2.5	0x874c	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.082051992 CET	1.1.1.1	192.168.2.5	0x874c	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.082653046 CET	1.1.1.1	192.168.2.5	0x13cc	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:48:20.082653046 CET	1.1.1.1	192.168.2.5	0x13cc	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.092844963 CET	1.1.1.1	192.168.2.5	0x4a3b	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.092844963 CET	1.1.1.1	192.168.2.5	0x4a3b	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.092844963 CET	1.1.1.1	192.168.2.5	0x4a3b	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.092844963 CET	1.1.1.1	192.168.2.5	0x4a3b	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.092844963 CET	1.1.1.1	192.168.2.5	0x4a3b	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.092844963 CET	1.1.1.1	192.168.2.5	0x4a3b	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.092844963 CET	1.1.1.1	192.168.2.5	0x4a3b	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.092844963 CET	1.1.1.1	192.168.2.5	0x4a3b	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.092844963 CET	1.1.1.1	192.168.2.5	0x4a3b	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.092844963 CET	1.1.1.1	192.168.2.5	0x4a3b	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.092844963 CET	1.1.1.1	192.168.2.5	0x4a3b	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.092844963 CET	1.1.1.1	192.168.2.5	0x4a3b	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.092844963 CET	1.1.1.1	192.168.2.5	0x4a3b	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.092844963 CET	1.1.1.1	192.168.2.5	0x4a3b	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.092844963 CET	1.1.1.1	192.168.2.5	0x4a3b	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.092844963 CET	1.1.1.1	192.168.2.5	0x4a3b	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.093008041 CET	1.1.1.1	192.168.2.5	0x6db4	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.094060898 CET	1.1.1.1	192.168.2.5	0x6b23	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.101139069 CET	1.1.1.1	192.168.2.5	0x83b5	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 10:48:20.101139069 CET	1.1.1.1	192.168.2.5	0x83b5	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 10:48:20.101139069 CET	1.1.1.1	192.168.2.5	0x83b5	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 10:48:20.101139069 CET	1.1.1.1	192.168.2.5	0x83b5	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 10:48:20.101425886 CET	1.1.1.1	192.168.2.5	0xa816	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 29, 2024 10:48:20.105489969 CET	1.1.1.1	192.168.2.5	0x8cb1	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 29, 2024 10:48:20.109273911 CET	1.1.1.1	192.168.2.5	0x5b5b	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:48:20.109273911 CET	1.1.1.1	192.168.2.5	0x5b5b	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.109273911 CET	1.1.1.1	192.168.2.5	0x5b5b	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.109273911 CET	1.1.1.1	192.168.2.5	0x5b5b	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.109273911 CET	1.1.1.1	192.168.2.5	0x5b5b	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.109360933 CET	1.1.1.1	192.168.2.5	0x9382	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.117976904 CET	1.1.1.1	192.168.2.5	0x2301	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.117976904 CET	1.1.1.1	192.168.2.5	0x2301	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.117976904 CET	1.1.1.1	192.168.2.5	0x2301	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.117976904 CET	1.1.1.1	192.168.2.5	0x2301	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:20.118273020 CET	1.1.1.1	192.168.2.5	0x8dfc	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:30.464839935 CET	1.1.1.1	192.168.2.5	0xc202	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:30.464839935 CET	1.1.1.1	192.168.2.5	0xc202	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:30.464839935 CET	1.1.1.1	192.168.2.5	0xc202	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:30.464839935 CET	1.1.1.1	192.168.2.5	0xc202	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:30.479533911 CET	1.1.1.1	192.168.2.5	0xcd6	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:30.479533911 CET	1.1.1.1	192.168.2.5	0xcd6	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:30.479533911 CET	1.1.1.1	192.168.2.5	0xcd6	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:30.479533911 CET	1.1.1.1	192.168.2.5	0xcd6	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:30.487884045 CET	1.1.1.1	192.168.2.5	0xf955	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:48:30.487884045 CET	1.1.1.1	192.168.2.5	0xf955	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:30.490916014 CET	1.1.1.1	192.168.2.5	0x7b04	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 10:48:30.490916014 CET	1.1.1.1	192.168.2.5	0x7b04	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 10:48:30.490916014 CET	1.1.1.1	192.168.2.5	0x7b04	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 10:48:30.490916014 CET	1.1.1.1	192.168.2.5	0x7b04	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 10:48:30.499893904 CET	1.1.1.1	192.168.2.5	0x9ca0	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:31.121695042 CET	1.1.1.1	192.168.2.5	0x70b0	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:48:31.121695042 CET	1.1.1.1	192.168.2.5	0x70b0	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:48:31.795629978 CET	1.1.1.1	192.168.2.5	0x580a	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:48:31.795629978 CET	1.1.1.1	192.168.2.5	0x580a	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:48:59.852400064 CET	1.1.1.1	192.168.2.5	0xf630	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:49:32.524760962 CET	1.1.1.1	192.168.2.5	0xf902	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:49:34.354396105 CET	1.1.1.1	192.168.2.5	0x149	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:49:34.354396105 CET	1.1.1.1	192.168.2.5	0x149	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	34.107.221.82	80	7136	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:48:01.431924105 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 10:48:02.033862114 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 68895 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49722	34.107.221.82	80	7136	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:48:03.077357054 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 10:48:03.676486969 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 75258 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 10:48:03.829822063 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 10:48:03.956490040 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 75258 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 10:48:04.445864916 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 10:48:04.801872015 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 75259 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 10:48:09.730509996 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 10:48:09.856359959 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 75264 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 10:48:15.358824968 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 10:48:15.484333038 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 75270 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 10:48:20.076210976 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 10:48:20.201761007 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 75275 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 10:48:21.188195944 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 10:48:21.314140081 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 75276 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 10:48:22.500150919 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 10:48:22.625710011 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 75277 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 10:48:23.130997896 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 10:48:23.256845951 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 75278 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 10:48:23.768625975 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 10:48:23.895507097 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 75278 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 10:48:31.190928936 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 10:48:31.316458941 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 75286 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 10:48:31.913203001 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 10:48:32.039447069 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 75286 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 10:48:32.547626019 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 10:48:32.673048019 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 75287 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 10:48:42.687452078 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 10:48:52.207225084 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 10:48:52.332577944 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 75307 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 10:49:00.637485027 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 10:49:00.762878895 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 75315 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 10:49:10.768506050 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 10:49:20.781275988 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 10:49:30.794095993 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 10:49:34.477658033 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 10:49:34.603336096 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 12:53:45 GMT Age: 75349 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 10:49:44.617959023 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 10:49:54.625363111 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49724	34.107.221.82	80	7136	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:48:03.091073036 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 10:48:03.696161985 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 68897 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 10:48:04.203401089 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 10:48:04.330543041 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 68898 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 10:48:05.002250910 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 10:48:05.129388094 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 68899 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 10:48:09.731307983 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 10:48:09.858221054 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 68903 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 10:48:16.154577017 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 10:48:16.281830072 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 68910 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 10:48:20.126985073 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 10:48:20.253806114 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 68914 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 10:48:22.369496107 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 10:48:22.496347904 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 68916 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 10:48:22.999829054 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 10:48:23.127233028 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 68917 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 10:48:23.638559103 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 10:48:23.765319109 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 68917 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 10:48:31.060404062 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 10:48:31.187835932 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 68925 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 10:48:31.783601999 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 10:48:31.910371065 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 68925 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 10:48:32.417989969 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 10:48:32.544645071 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 68926 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 10:48:42.555888891 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 10:48:52.076389074 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 10:48:52.203171015 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 68946 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 10:49:00.506921053 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 10:49:00.634177923 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 68954 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 10:49:10.637016058 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 10:49:20.665353060 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 10:49:30.678194046 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 10:49:34.346904993 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 10:49:34.473778009 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 28 Oct 2024 14:39:46 GMT Age: 68988 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 10:49:44.479830980 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 10:49:54.493771076 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 10:50:04.517193079 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	05:47:53
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x9d0000
File size:	919'552 bytes
MD5 hash:	3913A8F8F34FB2BAD2930574DC7B5247
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.2086932396.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.2086692897.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:47:53
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x9d0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:47:53
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:47:56
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x9d0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:47:56
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:47:56
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x9d0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:47:56
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:47:56
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x9d0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:47:56
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:47:56
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x9d0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:47:56
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:47:56
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:47:56
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:47:56
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	05:47:57
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2188 -parentBuildID 20230927232528 -prefsHandle 2112 -prefMapHandle 2104 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a382715-91ea-4e9d-adff-b013096cc28b} 7136 "\\.\pipe\gecko-crash-server-pipe.7136" 1fac5b6fd10 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	05:47:59
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3948 -parentBuildID 20230927232528 -prefsHandle 3936 -prefMapHandle 4044 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db0bfcc8-6b1d-4cd7-9e24-cfb931e11c14} 7136 "\\.\pipe\gecko-crash-server-pipe.7136" 1fad8122a10 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	05:48:03
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3028 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5024 -prefMapHandle 5020 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79db0927-a12c-44b4-a85f-ce543a5c6f85} 7136 "\\.\pipe\gecko-crash-server-pipe.7136" 1faddffcf10 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	1523
Total number of Limit Nodes:	44

Executed Functions

Function 009D42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 009D430D

Part of subcall function 009D6B57: _wcslen.LIBCMT ref: 009D6B6A

GetCurrentProcess.KERNEL32(?,00A6CB64,00000000,?,?), ref: 009D4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 009D4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 009D4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 009D4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 009D4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 009D447B
GetSystemInfo.KERNEL32(?,?,?), ref: 009D44A0

Strings

kernel32.dll, xrefs: 009D444F
|O, xrefs: 00A136F8
GetNativeSystemInfo, xrefs: 009D4460

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 623e3441ac6397fc8fb1c4753f8db3148327e9ac787b9da19cefab4d2739a826
Instruction ID: 1b11a899006ae0dd0469176f662f37282baf3072b99e507cabfe2dac6edff111
Opcode Fuzzy Hash: 623e3441ac6397fc8fb1c4753f8db3148327e9ac787b9da19cefab4d2739a826
Instruction Fuzzy Hash: 14A1426690E2D2FFCF52CFE968411A57EE46B27340F088C9AD0819B7A1D774454BDB31

Function 009D42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,009D50AA,?,?,00000000,00000000), ref: 009D42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,009D50AA,?,?,00000000,00000000), ref: 009D42C9
LoadResource.KERNEL32(?,00000000,?,?,009D50AA,?,?,00000000,00000000,?,?,?,?,?,?,009D4F20), ref: 00A135BE
SizeofResource.KERNEL32(?,00000000,?,?,009D50AA,?,?,00000000,00000000,?,?,?,?,?,?,009D4F20), ref: 00A135D3
LockResource.KERNEL32(009D50AA,?,?,009D50AA,?,?,00000000,00000000,?,?,?,?,?,?,009D4F20,?), ref: 00A135E6

Strings

SCRIPT, xrefs: 009D42BF

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 54d2a52c8edba6acc6063db68a10ee019e2cda1830510de1d0c3f6c4cee39b89
Instruction ID: b616434a808f836a727153b73c23e38307a8e8117500fd3c94a29931a25574e2
Opcode Fuzzy Hash: 54d2a52c8edba6acc6063db68a10ee019e2cda1830510de1d0c3f6c4cee39b89
Instruction Fuzzy Hash: 7A11CE70240300BFEB219BA5DC48F677BBEEBC5B61F10816AF956C6250DBB1DC008670

Function 00A12BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 009D2B6B

Part of subcall function 009D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00AA1418,?,009D2E7F,?,?,?,00000000), ref: 009D3A78

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00A92224), ref: 00A12C10
ShellExecuteW.SHELL32(00000000,?,?,00A92224), ref: 00A12C17

Strings

runas, xrefs: 00A12C0B

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 4dd227520204373b84c306728a8fa696eb5d1ae2b790749c866fb25c74865763
Instruction ID: b0275264a132d8e70d29edfab751e83d178f4de4bc93a3dc6b52b18a8ffab14b
Opcode Fuzzy Hash: 4dd227520204373b84c306728a8fa696eb5d1ae2b790749c866fb25c74865763
Instruction Fuzzy Hash: 2111D2312882016AC704FF74D852BBEBBA4ABE6751F44C42FF082432A2CF64894A8712

Function 00A3D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A3D501
Process32FirstW.KERNEL32(00000000,?), ref: 00A3D50F
Process32NextW.KERNEL32(00000000,?), ref: 00A3D52F
CloseHandle.KERNELBASE(00000000), ref: 00A3D5DC

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 4724fafe5134fb67b38d8da24d76b5e4b29425a5c9abb745619846581ec42f3a
Instruction ID: cd97a5a687107ead4cd560eaacb861f4442406b503897ede17c6bfa404268989
Opcode Fuzzy Hash: 4724fafe5134fb67b38d8da24d76b5e4b29425a5c9abb745619846581ec42f3a
Instruction Fuzzy Hash: C0318F711083009FD301EF54D881BAFBBF8EFD9354F14492EF585862A1EB719949CB92

Function 00A3DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00A15222), ref: 00A3DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00A3DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00A3DBEE
FindClose.KERNEL32(00000000), ref: 00A3DBFA

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 52ddaf145f449a47accb6aded2c196268b916028913c72bab499083ef9cae872
Instruction ID: 823b42bcb0855ac337edac0b86add32fcdf634b527baed500563ea0edbda67aa
Opcode Fuzzy Hash: 52ddaf145f449a47accb6aded2c196268b916028913c72bab499083ef9cae872
Instruction Fuzzy Hash: 94F03071824914A7C220ABB8AD0D8BAB77C9E42335F545706F8B6C21E0EBF099568695

Function 009F4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00A028E9,?,009F4CBE,00A028E9,00A988B8,0000000C,009F4E15,00A028E9,00000002,00000000,?,00A028E9), ref: 009F4D09
TerminateProcess.KERNEL32(00000000,?,009F4CBE,00A028E9,00A988B8,0000000C,009F4E15,00A028E9,00000002,00000000,?,00A028E9), ref: 009F4D10
ExitProcess.KERNEL32 ref: 009F4D22

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 9ad3a99d4da82b4fe53ef0715dc53132735081190d59dace118e27146f4657ca
Instruction ID: 9fdd69071627b18cd7ffb96544f059436ccd9f06d938c8c50e766f2caed100d0
Opcode Fuzzy Hash: 9ad3a99d4da82b4fe53ef0715dc53132735081190d59dace118e27146f4657ca
Instruction Fuzzy Hash: 67E0B63100014CABDF11AF94DE09A6A7F7DEB85795F104014FD598A262DB75ED42CB80

Function 00A5AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00A5B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A5B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A5B1D4
_wcslen.LIBCMT ref: 00A5B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A5B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A5B236
_wcslen.LIBCMT ref: 00A5B332

Part of subcall function 00A405A7: GetStdHandle.KERNEL32(000000F6), ref: 00A405C6

_wcslen.LIBCMT ref: 00A5B34B
_wcslen.LIBCMT ref: 00A5B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A5B3B6
GetLastError.KERNEL32(00000000), ref: 00A5B407
CloseHandle.KERNEL32(?), ref: 00A5B439
CloseHandle.KERNEL32(00000000), ref: 00A5B44A
CloseHandle.KERNEL32(00000000), ref: 00A5B45C
CloseHandle.KERNEL32(00000000), ref: 00A5B46E
CloseHandle.KERNEL32(?), ref: 00A5B4E3

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: c03e657a7ba306a0a9a5d7d29e485743a602c29b1f3dfcd6230573aaae6abce2
Instruction ID: 5bb144315fd592f97f09a7cf672b917b44ca5a9c14b80c49952a3738552bcc5c
Opcode Fuzzy Hash: c03e657a7ba306a0a9a5d7d29e485743a602c29b1f3dfcd6230573aaae6abce2
Instruction Fuzzy Hash: D1F1AC316143409FC724EF24C891B6EBBE1BF85315F14855EF8999B2A2DB31EC49CB62

Function 009DD730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009DD807
timeGetTime.WINMM ref: 009DDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009DDB28
TranslateMessage.USER32(?), ref: 009DDB7B
DispatchMessageW.USER32(?), ref: 009DDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009DDB9F
Sleep.KERNELBASE(0000000A), ref: 009DDBB1

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 49c0ed9e701622d9df1b2eb31f370984a962bb36656521e608be7c3e9b37df04
Instruction ID: 78a2004c34427f73c6e064cf1905e71d3d7c3dbab3c24f8a96c3b94b57f42641
Opcode Fuzzy Hash: 49c0ed9e701622d9df1b2eb31f370984a962bb36656521e608be7c3e9b37df04
Instruction Fuzzy Hash: 73420330689342EFD729CF28D894B6AB7F4BF86304F14892EE49587391D775E844CB92

Function 009D2CD4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 009D2D07
RegisterClassExW.USER32(00000030), ref: 009D2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009D2D42
InitCommonControlsEx.COMCTL32(?), ref: 009D2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009D2D6F
LoadIconW.USER32(000000A9), ref: 009D2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009D2D94

Strings

TaskbarCreated, xrefs: 009D2D37
0, xrefs: 009D2CE9
AutoIt v3 GUI, xrefs: 009D2D23
+, xrefs: 009D2CF0
87, xrefs: 009D2D80, 009D2D8E

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$87$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-2874353267
Opcode ID: 9b9f0355a354eca11399290f2b97171bb51710fe25a792e63fa3ca1b109d5821
Instruction ID: a312fd06d9d674fbe1c51e6cf491d487e49fff4c2272fb34d81471ed87d29f7b
Opcode Fuzzy Hash: 9b9f0355a354eca11399290f2b97171bb51710fe25a792e63fa3ca1b109d5821
Instruction Fuzzy Hash: E321F2B5901319AFDB00DFE4EC89BEEBBB4FB09724F00811AF551A62A0D7B10546CFA1

Function 00A1065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A1039A: CreateFileW.KERNELBASE(00000000,00000000,?,00A10704,?,?,00000000,?,00A10704,00000000,0000000C), ref: 00A103B7

GetLastError.KERNEL32 ref: 00A1076F
__dosmaperr.LIBCMT ref: 00A10776
GetFileType.KERNELBASE(00000000), ref: 00A10782
GetLastError.KERNEL32 ref: 00A1078C
__dosmaperr.LIBCMT ref: 00A10795
CloseHandle.KERNEL32(00000000), ref: 00A107B5
CloseHandle.KERNEL32(?), ref: 00A108FF
GetLastError.KERNEL32 ref: 00A10931
__dosmaperr.LIBCMT ref: 00A10938

Strings

H, xrefs: 00A108BD

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 63a8a2b06a6be7c2d4e9bf9f60079099db8a96474f3deade18f7cb06cdcd0c4e
Instruction ID: 400021aa10b49139be3d9f890703f4cd99285975c6832a7a791403ce7e1fe78e
Opcode Fuzzy Hash: 63a8a2b06a6be7c2d4e9bf9f60079099db8a96474f3deade18f7cb06cdcd0c4e
Instruction Fuzzy Hash: 64A10232A041098FDF19EFA8D861BEE7BB1AB46320F140159F815AF2D1D7B59893CB91

Function 009D344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00AA1418,?,009D2E7F,?,?,?,00000000), ref: 009D3A78

Part of subcall function 009D3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009D3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 009D356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00A1318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00A131CE
RegCloseKey.ADVAPI32(?), ref: 00A13210
_wcslen.LIBCMT ref: 00A13277
_wcslen.LIBCMT ref: 00A13286

Strings

Include, xrefs: 00A13184, 00A131C5
Software\AutoIt v3\AutoIt, xrefs: 009D3560
\Include\, xrefs: 009D3527
\, xrefs: 00A1328C

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 260fb4744c356f8082a3797327eb8d3a63fb6803e71109fce986d1552e3853b8
Instruction ID: d9a19326f08243750ec079e891281d4798236e3048a3acdac429f08530f59d9c
Opcode Fuzzy Hash: 260fb4744c356f8082a3797327eb8d3a63fb6803e71109fce986d1552e3853b8
Instruction Fuzzy Hash: E671D8715443019ECB04EFA9DC41AABB7F8FFD6740F40482EF5858B2A0EB759A49CB61

Function 009D2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 009D2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 009D2B9D
LoadIconW.USER32(00000063), ref: 009D2BB3
LoadIconW.USER32(000000A4), ref: 009D2BC5
LoadIconW.USER32(000000A2), ref: 009D2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 009D2BEF
RegisterClassExW.USER32(?), ref: 009D2C40

Part of subcall function 009D2CD4: GetSysColorBrush.USER32(0000000F), ref: 009D2D07
Part of subcall function 009D2CD4: RegisterClassExW.USER32(00000030), ref: 009D2D31
Part of subcall function 009D2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009D2D42
Part of subcall function 009D2CD4: InitCommonControlsEx.COMCTL32(?), ref: 009D2D5F
Part of subcall function 009D2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009D2D6F
Part of subcall function 009D2CD4: LoadIconW.USER32(000000A9), ref: 009D2D85
Part of subcall function 009D2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009D2D94

Strings

#, xrefs: 009D2C16
0, xrefs: 009D2C0F
AutoIt v3, xrefs: 009D2C2F

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 2ca670785317473e1edacda5ec87ce7b0b9f5f0478a25f55dc9ece53426ceb19
Instruction ID: 73f668e3758abdd3bb606678b8403f614cfd731e627a98656b29fd75ab1fac98
Opcode Fuzzy Hash: 2ca670785317473e1edacda5ec87ce7b0b9f5f0478a25f55dc9ece53426ceb19
Instruction Fuzzy Hash: 9E21F575A40329BFDB50DFE5EC59AA97FF4FB49B64F00401AE504AA6E0D7B105428FA0

Function 009D3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,009D316A,?,?), ref: 009D31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,009D316A,?,?), ref: 009D3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 009D3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,009D316A,?,?), ref: 009D3232
CreatePopupMenu.USER32 ref: 009D3246
PostQuitMessage.USER32(00000000), ref: 009D3267

Strings

TaskbarCreated, xrefs: 009D322D

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 8c5dae07a08032f1d1661f73cb7b19cceba3f06d7a9606442e0e77628671ef93
Instruction ID: d0222f5ddf5c73175dac1a2da158d4b21d7b3322f42f82f7fc2fe4a4d98645b3
Opcode Fuzzy Hash: 8c5dae07a08032f1d1661f73cb7b19cceba3f06d7a9606442e0e77628671ef93
Instruction Fuzzy Hash: FC4158356C4202BBDF149FB8EC09BBA3A29E746352F04C127F661863E1D7A5CA41D763

Function 009D1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 009D1459
CoUninitialize.COMBASE ref: 009D14F8
UnregisterHotKey.USER32(?), ref: 009D16DD
DestroyWindow.USER32(?), ref: 00A124B9
FreeLibrary.KERNEL32(?), ref: 00A1251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A1254B

Strings

close all, xrefs: 009D1454

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ab401ee1d65d41b38dce0cab89dc02404056b998de8458115b989cc8541c7964
Instruction ID: c6f4d752118615f163d31f9bc86c1abfe0d3092b5aaf7dc5d87f019c6b3f3fc6
Opcode Fuzzy Hash: ab401ee1d65d41b38dce0cab89dc02404056b998de8458115b989cc8541c7964
Instruction Fuzzy Hash: 42D189327412129FCB29EF15C895B69F7A5BF45710F1481AEE44A6B361CB30EC62CF50

Function 009D2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009D2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 009D2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,009D1CAD,?), ref: 009D2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,009D1CAD,?), ref: 009D2CCF

Strings

edit, xrefs: 009D2CAC
AutoIt v3, xrefs: 009D2C89, 009D2C8E, 009D2C8F

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: aa1a02af9a7d855817427844831fa47102de40232a9c661f845c20d599020916
Instruction ID: 42a3bd6ad19b1af8dfc94cf9ce344990aa8424ef10a8b0af42710c789568c610
Opcode Fuzzy Hash: aa1a02af9a7d855817427844831fa47102de40232a9c661f845c20d599020916
Instruction Fuzzy Hash: 77F0DA7A5402A17AEB719B97AC0CE772EBDD7C7F60F00005EF900AA5A0D7A51852DAB0

Function 009D10F3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009D1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 009D1BF4
Part of subcall function 009D1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 009D1BFC
Part of subcall function 009D1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009D1C07
Part of subcall function 009D1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 009D1C12
Part of subcall function 009D1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 009D1C1A
Part of subcall function 009D1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 009D1C22

Part of subcall function 009D1B4A: RegisterWindowMessageW.USER32(00000004,?,009D12C4), ref: 009D1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 009D136A
OleInitialize.OLE32 ref: 009D1388
CloseHandle.KERNEL32(00000000,00000000), ref: 00A124AB

Strings

&, xrefs: 009D116A

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: &
API String ID: 1986988660-2586148540
Opcode ID: 4b3ac93e66f7cc1499650b4630310dc8de42ccce6c379b98391bb97621aa1e75
Instruction ID: eb65c2f07cb1fb7135861011b2f7b26511d535af2e175924c58be8e682340e95
Opcode Fuzzy Hash: 4b3ac93e66f7cc1499650b4630310dc8de42ccce6c379b98391bb97621aa1e75
Instruction Fuzzy Hash: 95719AB9D11213AFC388EFB9A9556657AE0FB8F394F54822AD04AC73E1EB344442CF44

Function 009D3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,009D3B0F,SwapMouseButtons,00000004,?), ref: 009D3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,009D3B0F,SwapMouseButtons,00000004,?), ref: 009D3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,009D3B0F,SwapMouseButtons,00000004,?), ref: 009D3B83

Strings

Control Panel\Mouse, xrefs: 009D3B3E

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: dc6f5645feda488995542f3f4012de583b5b3fdf09aed5c9dcce20317eb117cd
Instruction ID: 68d3c6df7618543080b7c5be605e05b974b4431522375751560c2215d8c64951
Opcode Fuzzy Hash: dc6f5645feda488995542f3f4012de583b5b3fdf09aed5c9dcce20317eb117cd
Instruction Fuzzy Hash: 8F1157B5650208FFDB20CFA4DC84ABEBBBCEF00751B10C96BE801D7210E2759E409BA0

Function 009D3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00A133A2

Part of subcall function 009D6B57: _wcslen.LIBCMT ref: 009D6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 009D3A04

Strings

Line: , xrefs: 00A133EB

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 9353894deb4ecc5e27ce6c30a0ff061db2fb0dc3ea7db55b5ea1c3573a8a689a
Instruction ID: 81299b67a750f6820bf96def102821a689cd55ec768a288d3b0334968923cef5
Opcode Fuzzy Hash: 9353894deb4ecc5e27ce6c30a0ff061db2fb0dc3ea7db55b5ea1c3573a8a689a
Instruction Fuzzy Hash: 7C31E371588304AAC720EF60DC45BEBB3E8AB81710F00C92BF599872D1DB749A49C7D3

Function 009EFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 009F0668

Part of subcall function 009F32A4: RaiseException.KERNEL32(?,?,?,009F068A,?,00AA1444,?,?,?,?,?,?,009F068A,009D1129,00A98738,009D1129), ref: 009F3304

__CxxThrowException@8.LIBVCRUNTIME ref: 009F0685

Strings

Unknown exception, xrefs: 009F0692

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b9ba020d740bb052ec8ea03418521796f48b395bcb6e3c9c1e7840ea28458a29
Instruction ID: 628404d2c3bcd70e09eabfd890ba07b2de63fcc05f3d2e4ff1c9206dea61d114
Opcode Fuzzy Hash: b9ba020d740bb052ec8ea03418521796f48b395bcb6e3c9c1e7840ea28458a29
Instruction Fuzzy Hash: DBF0C83490020D778F00B665DC56EBE7B6C6EC0350B604531BB24D55D2EF75DA65C780

Function 00A3C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 009D3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 009D3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A3C259
KillTimer.USER32(?,00000001,?,?), ref: 00A3C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A3C270

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 42ef857a27c128ca515b07e5958ecaff33c77bb81f5df78ed1d561e057c2d3af
Instruction ID: a7851c9a54fa4f88fc6afd88e18504748a6b79693a3288c08788c4fb4ae20bee
Opcode Fuzzy Hash: 42ef857a27c128ca515b07e5958ecaff33c77bb81f5df78ed1d561e057c2d3af
Instruction Fuzzy Hash: AD31C370904354AFEB22DFA48C55BE7BBFC9B06314F00049AE2DAA7241C7745A85CB51

Function 00A086AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00A085CC,?,00A98CC8,0000000C), ref: 00A08704
GetLastError.KERNEL32(?,00A085CC,?,00A98CC8,0000000C), ref: 00A0870E
__dosmaperr.LIBCMT ref: 00A08739

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 050cf3ae7886eb5e2e9041036446019406955b58a9ccc94a2d791ebdb4977680
Instruction ID: 7adb56165f1acd9328f16006dcacd7945315916301087fb03d32a0ca5417f18c
Opcode Fuzzy Hash: 050cf3ae7886eb5e2e9041036446019406955b58a9ccc94a2d791ebdb4977680
Instruction Fuzzy Hash: 6B01CE32E0022C1AC620A334B965B7F6B584B93774F3A0119F8449F1D3DFAACC818249

Function 009DDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 009DDB7B
DispatchMessageW.USER32(?), ref: 009DDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009DDB9F
Sleep.KERNELBASE(0000000A), ref: 009DDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00A21CC9

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 599a1317f7de7f4bb6684225c27ea87b3f8d8a7c71e44be8b3cccae74b42eada
Instruction ID: a5e92b7fb75b1f43b91916236197ac1a86ddfb780927d76fd2040dfd704a50e5
Opcode Fuzzy Hash: 599a1317f7de7f4bb6684225c27ea87b3f8d8a7c71e44be8b3cccae74b42eada
Instruction Fuzzy Hash: 75F082306853409BE730CBA0DC89FEA73BCEB89310F10892AE64AC31C0DB749489DB15

Function 009E1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 009E17F6

Strings

CALL, xrefs: 009E17C6

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: a8af8f353ddc0a467f2357f9b12f80549bbb25f8778da219da2566d836358b75
Instruction ID: 741731edb976257dddbc65e8775230ec38d481f580fd0b4e5c755597c9a63b06
Opcode Fuzzy Hash: a8af8f353ddc0a467f2357f9b12f80549bbb25f8778da219da2566d836358b75
Instruction Fuzzy Hash: 78228A706082819FC715DF19C490B2ABBF5BF89314F24896DF4968B3A2D735EC41CB82

Function 009D2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00A12C8C

Part of subcall function 009D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009D3A97,?,?,009D2E7F,?,?,?,00000000), ref: 009D3AC2

Part of subcall function 009D2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009D2DC4

Strings

X, xrefs: 00A12C5A

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: a11e8628bffae6ed58c8bc9e2b43dda33c406ab0053a1d322e4fdf93c5817c6e
Instruction ID: def4142afd0bd842e9e0138178f8237c67c17d7b7e5829179c159a42cd95ff2b
Opcode Fuzzy Hash: a11e8628bffae6ed58c8bc9e2b43dda33c406ab0053a1d322e4fdf93c5817c6e
Instruction Fuzzy Hash: 5521A571A402589FCF41EF94C845BEE7BFCAF89315F00805AE505B7341DBB89A898FA1

Function 009D3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 009D3908

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 57f2e4a1cdbb6ef900b75971a05bf30d3d0d4dccbfb20f55af582045ed3ecf0e
Instruction ID: 995f07d8a36cd8fabc07274ebb39d874c0590f196a10c35985b89cc12f4bf3da
Opcode Fuzzy Hash: 57f2e4a1cdbb6ef900b75971a05bf30d3d0d4dccbfb20f55af582045ed3ecf0e
Instruction Fuzzy Hash: 503181705043019FD760DF64D884797BBE8FB49719F00492EF59997380E7B1AA44CB52

Function 009EF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 009EF661

Part of subcall function 009DD730: GetInputState.USER32 ref: 009DD807

Sleep.KERNEL32(00000000), ref: 00A2F2DE

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: ce5a65b443f32a701280f59ca12bedb811995b2c66727119c33195b14e1439ea
Instruction ID: fe62aa546ac3112d65978f87cc03baf6cff72b3d06a25a4c7277989c445654a1
Opcode Fuzzy Hash: ce5a65b443f32a701280f59ca12bedb811995b2c66727119c33195b14e1439ea
Instruction Fuzzy Hash: F0F08C312802159FD310EF69E449B6AB7F8EF867A0F00402AF859C7360DBB0A800CB90

Function 009D4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,009D4EDD,?,00AA1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009D4E9C
Part of subcall function 009D4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 009D4EAE
Part of subcall function 009D4E90: FreeLibrary.KERNEL32(00000000,?,?,009D4EDD,?,00AA1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009D4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00AA1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009D4EFD

Part of subcall function 009D4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A13CDE,?,00AA1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009D4E62
Part of subcall function 009D4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 009D4E74
Part of subcall function 009D4E59: FreeLibrary.KERNEL32(00000000,?,?,00A13CDE,?,00AA1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009D4E87

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 83a41498ba908083b017c1e862531595f64c988000e7d8bebbd1d9debea626ed
Instruction ID: 28fc6c73fdb6d92016237b47bdc4bbece17c294a8f3be6fba811a76f495d4d50
Opcode Fuzzy Hash: 83a41498ba908083b017c1e862531595f64c988000e7d8bebbd1d9debea626ed
Instruction Fuzzy Hash: 4011E732680205ABCF14FFA4DC06FAD77A5AF90710F10C42FF542A62E1DE749A459B60

Function 00A08402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00A08440

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: dde20e58d66e2f97b142c56e449b40ffbe6192ae537809771722fbd59c8e5edc
Instruction ID: 9239f410f3b7e5e81130410683fc82ec223e6aafea8cdfd11a481c027ef60441
Opcode Fuzzy Hash: dde20e58d66e2f97b142c56e449b40ffbe6192ae537809771722fbd59c8e5edc
Instruction Fuzzy Hash: 5811187590410EAFCB05DF58E9419DE7BF5EF48314F104059F808AB352DB31DA11CBA9

Function 00A05000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A04C7D: RtlAllocateHeap.NTDLL(00000008,009D1129,00000000,?,00A02E29,00000001,00000364,?,?,?,009FF2DE,00A03863,00AA1444,?,009EFDF5,?), ref: 00A04CBE

_free.LIBCMT ref: 00A0506C

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 45db50952e4e08adce72f291972dada64dfd141a1506dc9852d15bbd2a802511
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 0A012B726047085FE3218F65E885A5AFBECFB89370F25052DE184832C0E6306905CB74

Function 009FE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 89e0899754d7d2e83d438d7526da46ca3de78d654633f515fae2982fb8d4b310
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 3AF0F432511A1C96DA323E69AD09B7A339C9F92334F100B15F661D61E2DF74980187A9

Function 00A04C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,009D1129,00000000,?,00A02E29,00000001,00000364,?,?,?,009FF2DE,00A03863,00AA1444,?,009EFDF5,?), ref: 00A04CBE

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0f071f518bc62feac34f0acf706fcddb3a4db14bfb01e763c6a600bc28ef083b
Instruction ID: 2b68915e14f1d5bab47bd7a59e1a25029d8443660612e1af8cc5cb11f6631995
Opcode Fuzzy Hash: 0f071f518bc62feac34f0acf706fcddb3a4db14bfb01e763c6a600bc28ef083b
Instruction Fuzzy Hash: 9AF0B47160622C77FB215F62BC09B6B3798BF857B0F144111FA1AAA1C0CA70D80147E0

Function 00A03820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00AA1444,?,009EFDF5,?,?,009DA976,00000010,00AA1440,009D13FC,?,009D13C6,?,009D1129), ref: 00A03852

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 115e51088316c9d4b46de5dd66e56be61a8271e46ed0ede8f616823b3e02859a
Instruction ID: 9138971ce14c8dfe97f50f366622c6d92082adab060641e94b12c6e68d478885
Opcode Fuzzy Hash: 115e51088316c9d4b46de5dd66e56be61a8271e46ed0ede8f616823b3e02859a
Instruction Fuzzy Hash: 0FE0E53350122C66DF212FB7BC00BAB365CAF827B0F0581A0FD15964C0CB11DE0583E0

Function 009D4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00AA1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009D4F6D

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e20d3faf44ba82a7bb93bf570331b745738c5c6ec38adf8d556e5674a559b648
Instruction ID: 1331b190435004993aa7e88665a654820fba10aeaf469517d51f6692b9a713b2
Opcode Fuzzy Hash: e20d3faf44ba82a7bb93bf570331b745738c5c6ec38adf8d556e5674a559b648
Instruction Fuzzy Hash: 53F01571145752CFDB349F68D490822BBF8AF24329320CA6FE2EA82621CB359844DB50

Function 00A62A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A62A66

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 53457df0b18a49e3c4f52ec545aa99efb1ecb37d6f6b755f06589698c533becf
Instruction ID: 3f7d879154331a7466eac5f0c1f41ee148d46f64271351e288933c7615c43704
Opcode Fuzzy Hash: 53457df0b18a49e3c4f52ec545aa99efb1ecb37d6f6b755f06589698c533becf
Instruction Fuzzy Hash: 8EE0863A754516AAC714EB70DC80AFE777CEF643D5B104536FC26C2100DB74999587E0

Function 009D30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 009D314E

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 0afc3499d8294866358924896e98d21d0e5bdce3c9da9fe6356ebcd2fe8c31a1
Instruction ID: 8ed93aa348b493ac43a66ae507ccf0af035f34cf82eeae9c2857aaf522fef399
Opcode Fuzzy Hash: 0afc3499d8294866358924896e98d21d0e5bdce3c9da9fe6356ebcd2fe8c31a1
Instruction Fuzzy Hash: D1F03770914359AFEB92DF64DC497E67BBCA701708F0000E5A68896291DBB45789CF51

Function 009D2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009D2DC4

Part of subcall function 009D6B57: _wcslen.LIBCMT ref: 009D6B6A

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 2500b591fcee16eccfcd10fad436adf8169dcaa215117d9e31841fa89ffc160c
Instruction ID: d21005359b155e9a4695ec876ddd8c484268354f7b3f645ff7891ecfb7b55d41
Opcode Fuzzy Hash: 2500b591fcee16eccfcd10fad436adf8169dcaa215117d9e31841fa89ffc160c
Instruction Fuzzy Hash: 40E0CD726041245BC710E2989C05FEA77EDDFC8790F044072FD09D7248D964AD818550

Function 009D2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 009D3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 009D3908

Part of subcall function 009DD730: GetInputState.USER32 ref: 009DD807

SetCurrentDirectoryW.KERNEL32(?), ref: 009D2B6B

Part of subcall function 009D30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 009D314E

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: ea7a50a53742738e8200d59ccd94862951c019f9a360b436409751f0db8aeb24
Instruction ID: 04d92d8682551ba442d7a90e75a64979616eea17b3d4e94c9c940d45b4fea195
Opcode Fuzzy Hash: ea7a50a53742738e8200d59ccd94862951c019f9a360b436409751f0db8aeb24
Instruction Fuzzy Hash: 95E0266138020413C604BBB4A81267DA7598BE6352F00C43FF042833A2CF6449464212

Function 00A1039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00A10704,?,?,00000000,?,00A10704,00000000,0000000C), ref: 00A103B7

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c6c91a6f412dcb1ed2363f89ba2a13501c6e3abacc452e5a9c303475be2d30ee
Instruction ID: 5a5568707c8de4f5630ebbb6624174a6c9fa92cbd4454a2d0e603da209bf77b1
Opcode Fuzzy Hash: c6c91a6f412dcb1ed2363f89ba2a13501c6e3abacc452e5a9c303475be2d30ee
Instruction Fuzzy Hash: 1DD06C3204010DBBDF028F84DD06EDA3BAAFB48714F014100FE5856020C772E822AB90

Function 009D1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 009D1CBC

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: e526d8cceae8a913e68aa06fd33628e4409dc0674aca29706e71a5dd347c781c
Instruction ID: 50c07819302c23813dc11a00ad4994c611a1a2e669c46cba1ff8c572ca3a36cc
Opcode Fuzzy Hash: e526d8cceae8a913e68aa06fd33628e4409dc0674aca29706e71a5dd347c781c
Instruction Fuzzy Hash: 9EC09B352C0306AFF614CBC4BC4EF107764B349F14F044001F649595E3C3E21421DB50

Non-executed Functions

Function 00A69576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 009E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009E9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A6961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A6965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00A6969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A696C9
SendMessageW.USER32 ref: 00A696F2
GetKeyState.USER32(00000011), ref: 00A6978B
GetKeyState.USER32(00000009), ref: 00A69798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A697AE
GetKeyState.USER32(00000010), ref: 00A697B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A697E9
SendMessageW.USER32 ref: 00A69810
SendMessageW.USER32(?,00001030,?,00A67E95), ref: 00A69918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A6992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A69941
SetCapture.USER32(?), ref: 00A6994A
ClientToScreen.USER32(?,?), ref: 00A699AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A699BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A699D6
ReleaseCapture.USER32 ref: 00A699E1
GetCursorPos.USER32(?), ref: 00A69A19
ScreenToClient.USER32(?,?), ref: 00A69A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A69A80
SendMessageW.USER32 ref: 00A69AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A69AEB
SendMessageW.USER32 ref: 00A69B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A69B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A69B4A
GetCursorPos.USER32(?), ref: 00A69B68
ScreenToClient.USER32(?,?), ref: 00A69B75
GetParent.USER32(?), ref: 00A69B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A69BFA
SendMessageW.USER32 ref: 00A69C2B
ClientToScreen.USER32(?,?), ref: 00A69C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A69CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A69CDE
SendMessageW.USER32 ref: 00A69D01
ClientToScreen.USER32(?,?), ref: 00A69D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A69D82

Part of subcall function 009E9944: GetWindowLongW.USER32(?,000000EB), ref: 009E9952

GetWindowLongW.USER32(?,000000F0), ref: 00A69E05

Strings

F, xrefs: 00A69D07
@GUI_DRAGID, xrefs: 00A6997D
V, xrefs: 00A69728, 00A69894, 00A698B7, 00A698EF, 00A69A3C, 00A69BB7, 00A69C5E, 00A69C8E, 00A69D2C, 00A69D58, 00A69DA1, 00A69DF2, 00A69E16, 00A69E40

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$V
API String ID: 3429851547-1052069573
Opcode ID: a674ff33a5460529ecfeb6ca634b9e82d0a0fbb8d151f4ca96c55d403d5ebc46
Instruction ID: abd45b1ab449af1052bf4d45470ecddcb71f3fa7f5e955116a5687ca24ba51fa
Opcode Fuzzy Hash: a674ff33a5460529ecfeb6ca634b9e82d0a0fbb8d151f4ca96c55d403d5ebc46
Instruction Fuzzy Hash: 86428C38204341AFDB25CF68CC84AABBBF9FF89320F144619F699872A1D771E855CB51

Function 00A64873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00A648F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00A64908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00A64927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00A6494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00A6495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00A6497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00A649AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00A649D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00A64A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A64A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A64A7E
IsMenu.USER32(?), ref: 00A64A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A64AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A64B20
GetWindowLongW.USER32(?,000000F0), ref: 00A64B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00A64BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00A64C82
wsprintfW.USER32 ref: 00A64CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A64CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00A64CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A64D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A64D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00A64D5A

Strings

V, xrefs: 00A6489F
%d/%02d/%02d, xrefs: 00A64CA8

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d$V
API String ID: 4054740463-2366541203
Opcode ID: 9a350ffdd2d7ac4310ab286a7078d02fcace8079304c61e78e3d01dd4b605218
Instruction ID: 72f585566fde3da8fc2413f4cbf96fc5e6cf3a7a213fb49bd4bf720535330c82
Opcode Fuzzy Hash: 9a350ffdd2d7ac4310ab286a7078d02fcace8079304c61e78e3d01dd4b605218
Instruction Fuzzy Hash: 0F121171600254ABEB258F68DC49FBE7BF8EF89710F104129F516EB2E1DBB89941CB50

Function 009EF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 009EF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A2F474
IsIconic.USER32(00000000), ref: 00A2F47D
ShowWindow.USER32(00000000,00000009), ref: 00A2F48A
SetForegroundWindow.USER32(00000000), ref: 00A2F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A2F4AA
GetCurrentThreadId.KERNEL32 ref: 00A2F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A2F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A2F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A2F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00A2F4DE
SetForegroundWindow.USER32(00000000), ref: 00A2F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A2F4F6
keybd_event.USER32(00000012,00000000), ref: 00A2F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A2F50B
keybd_event.USER32(00000012,00000000), ref: 00A2F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A2F519
keybd_event.USER32(00000012,00000000), ref: 00A2F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A2F528
keybd_event.USER32(00000012,00000000), ref: 00A2F52D
SetForegroundWindow.USER32(00000000), ref: 00A2F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00A2F557

Strings

Shell_TrayWnd, xrefs: 00A2F46F

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 87a071cc813898233bd11b30f61fd744e2e5323370b76bd4efd2c5caa0031b43
Instruction ID: 3072843c02ebcd1c1fa09fbc13336ffb7ee0f1f1e6787690649137fc4a227961
Opcode Fuzzy Hash: 87a071cc813898233bd11b30f61fd744e2e5323370b76bd4efd2c5caa0031b43
Instruction Fuzzy Hash: 15313271A802287EEB216BF55C49FBF7E7CEB44B60F100076FA41E61D1C6F15D01AA61

Function 00A31201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00A316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A3170D
Part of subcall function 00A316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A3173A
Part of subcall function 00A316C3: GetLastError.KERNEL32 ref: 00A3174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00A31286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00A312A8
CloseHandle.KERNEL32(?), ref: 00A312B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A312D1
GetProcessWindowStation.USER32 ref: 00A312EA
SetProcessWindowStation.USER32(00000000), ref: 00A312F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00A31310

Part of subcall function 00A310BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A311FC), ref: 00A310D4
Part of subcall function 00A310BF: CloseHandle.KERNEL32(?,?,00A311FC), ref: 00A310E9

Strings

, xrefs: 00A3125A
winsta0, xrefs: 00A312CC
default, xrefs: 00A3130B

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: ccac5195d7404d16f7fed27cebc8102f7cc964d81d392cee7cc1dd451bf17e65
Instruction ID: cd8a400e98ae05ca12512bdbd8d08a00369e99fe60bdae74376020d4f6aad5bb
Opcode Fuzzy Hash: ccac5195d7404d16f7fed27cebc8102f7cc964d81d392cee7cc1dd451bf17e65
Instruction Fuzzy Hash: E78179B1A00349ABDF21DFA4DD4AFFE7BB9EF04714F144129FA11A61A0DB758945CB20

Function 00A30B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A31114
Part of subcall function 00A310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00A30B9B,?,?,?), ref: 00A31120
Part of subcall function 00A310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A30B9B,?,?,?), ref: 00A3112F
Part of subcall function 00A310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A30B9B,?,?,?), ref: 00A31136
Part of subcall function 00A310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A3114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A30BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A30C00
GetLengthSid.ADVAPI32(?), ref: 00A30C17
GetAce.ADVAPI32(?,00000000,?), ref: 00A30C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A30C6D
GetLengthSid.ADVAPI32(?), ref: 00A30C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00A30C8C
HeapAlloc.KERNEL32(00000000), ref: 00A30C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A30CB4
CopySid.ADVAPI32(00000000), ref: 00A30CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A30CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A30D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A30D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A30D45
HeapFree.KERNEL32(00000000), ref: 00A30D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A30D55
HeapFree.KERNEL32(00000000), ref: 00A30D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A30D65
HeapFree.KERNEL32(00000000), ref: 00A30D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00A30D78
HeapFree.KERNEL32(00000000), ref: 00A30D7F

Part of subcall function 00A31193: GetProcessHeap.KERNEL32(00000008,00A30BB1,?,00000000,?,00A30BB1,?), ref: 00A311A1
Part of subcall function 00A31193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00A30BB1,?), ref: 00A311A8
Part of subcall function 00A31193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00A30BB1,?), ref: 00A311B7

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9e5a49a83e13a447ed2de7f57d92ba0868889a99bfd9494d84069a8193127123
Instruction ID: 6a47c741e44db2ea6cf0791055a732211192bb96dc407cd6c26db5fc9f351033
Opcode Fuzzy Hash: 9e5a49a83e13a447ed2de7f57d92ba0868889a99bfd9494d84069a8193127123
Instruction Fuzzy Hash: 1B71687290021AABDF11DFE4DC48FAEBBB8BF05350F044655F954A6291D7B1AA06CBA0

Function 00A4EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00A6CC08), ref: 00A4EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00A4EB37
GetClipboardData.USER32(0000000D), ref: 00A4EB43
CloseClipboard.USER32 ref: 00A4EB4F
GlobalLock.KERNEL32(00000000), ref: 00A4EB87
CloseClipboard.USER32 ref: 00A4EB91
GlobalUnlock.KERNEL32(00000000), ref: 00A4EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00A4EBC9
GetClipboardData.USER32(00000001), ref: 00A4EBD1
GlobalLock.KERNEL32(00000000), ref: 00A4EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00A4EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00A4EC38
GetClipboardData.USER32(0000000F), ref: 00A4EC44
GlobalLock.KERNEL32(00000000), ref: 00A4EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00A4EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00A4EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00A4ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00A4ECF3
CountClipboardFormats.USER32 ref: 00A4ED14
CloseClipboard.USER32 ref: 00A4ED59

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: bf7b78bc0d5a2301d3d07d1e34b2456c0be0b1e9d0a4c020eec80ecaafe7e736
Instruction ID: d13c0d18fb06c55bcf3119fd1429e0a31f5decf27fea98709ad367b1b23d4f2e
Opcode Fuzzy Hash: bf7b78bc0d5a2301d3d07d1e34b2456c0be0b1e9d0a4c020eec80ecaafe7e736
Instruction Fuzzy Hash: 60618C39204201AFD300EF64D898F7AB7B4FF84754F14851AF896972A1CB71E946CBA2

Function 00A4698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A469BE
FindClose.KERNEL32(00000000), ref: 00A46A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A46A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A46A75

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00A46AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00A46ADF

Strings

%03d, xrefs: 00A46DA2
%02d, xrefs: 00A46C00, 00A46C0A, 00A46C5A, 00A46CAA, 00A46CFA, 00A46D4A
%4d, xrefs: 00A46BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00A46B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00A46B32

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 1c426ec32ac22affd516b2d4a92b83377802ae2cb3e1be24c2b16f7cfaae1f7a
Instruction ID: 1902153ffd24bb848c4629cf1bd0418abd71dc2d2aac391a23d4ddf70e43d0b7
Opcode Fuzzy Hash: 1c426ec32ac22affd516b2d4a92b83377802ae2cb3e1be24c2b16f7cfaae1f7a
Instruction Fuzzy Hash: 36D161B1548340AEC710EBA4D891EABB7FCAFC8704F44891EF589D7291EB74DA04C762

Function 00A49642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00A49663
GetFileAttributesW.KERNEL32(?), ref: 00A496A1
SetFileAttributesW.KERNEL32(?,?), ref: 00A496BB
FindNextFileW.KERNEL32(00000000,?), ref: 00A496D3
FindClose.KERNEL32(00000000), ref: 00A496DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00A496FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00A4974A
SetCurrentDirectoryW.KERNEL32(00A96B7C), ref: 00A49768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A49772
FindClose.KERNEL32(00000000), ref: 00A4977F
FindClose.KERNEL32(00000000), ref: 00A4978F

Strings

*.*, xrefs: 00A496F5

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 95cafa10f51b3b3c53ec0fac79b493e32b1fe37855fbba6d1878995d0905594f
Instruction ID: 89e92585832d8b8490bd288987ea55f0e828234935ab70498fc7717dda581fac
Opcode Fuzzy Hash: 95cafa10f51b3b3c53ec0fac79b493e32b1fe37855fbba6d1878995d0905594f
Instruction Fuzzy Hash: 9431BC366406197ADB10EFB4DC08AEF77BCAF89330F104166E965E21A0EB70DE518B24

Function 00A4979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00A497BE
FindNextFileW.KERNEL32(00000000,?), ref: 00A49819
FindClose.KERNEL32(00000000), ref: 00A49824
FindFirstFileW.KERNEL32(*.*,?), ref: 00A49840
SetCurrentDirectoryW.KERNEL32(?), ref: 00A49890
SetCurrentDirectoryW.KERNEL32(00A96B7C), ref: 00A498AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A498B8
FindClose.KERNEL32(00000000), ref: 00A498C5
FindClose.KERNEL32(00000000), ref: 00A498D5

Part of subcall function 00A3DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00A3DB00

Strings

*.*, xrefs: 00A4983B

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 5276d7608d7dc38ec7369a09d469cc7a5f69f21a2996b7395b8f653d36863760
Instruction ID: 86dcc4c8df2d2e5816a98d79c8a6638b0cf48f6e811db8ac858a53ae6b8c61b0
Opcode Fuzzy Hash: 5276d7608d7dc38ec7369a09d469cc7a5f69f21a2996b7395b8f653d36863760
Instruction Fuzzy Hash: EB31C336640619BEDF10EFB8EC48AEF77BCAF86330F104556F964A2190EB70D9558B60

Function 00A5BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A5B6AE,?,?), ref: 00A5C9B5
Part of subcall function 00A5C998: _wcslen.LIBCMT ref: 00A5C9F1
Part of subcall function 00A5C998: _wcslen.LIBCMT ref: 00A5CA68
Part of subcall function 00A5C998: _wcslen.LIBCMT ref: 00A5CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A5BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00A5BFA9
RegCloseKey.ADVAPI32(00000000), ref: 00A5BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A5C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00A5C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A5C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A5C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00A5C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A5C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A5C382
RegCloseKey.ADVAPI32(00000000), ref: 00A5C38F

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 3f7b60a0abe69f9d9f60d84ef63bcbafb67703ee89ebdf6d016a579088e1d532
Instruction ID: 422e5166806356c4db10e6e157138da6b4563aa6e3329acd9773a7aecd527f56
Opcode Fuzzy Hash: 3f7b60a0abe69f9d9f60d84ef63bcbafb67703ee89ebdf6d016a579088e1d532
Instruction Fuzzy Hash: 0B023B71604200AFD714DF28C895E2ABBE5BF89328F18C49DF84ADB2A6D731ED45CB51

Function 00A48195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A48257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A48267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A48273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A48310
SetCurrentDirectoryW.KERNEL32(?), ref: 00A48324
SetCurrentDirectoryW.KERNEL32(?), ref: 00A48356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A4838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00A48395

Strings

*.*, xrefs: 00A4839B

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 9e6f7d4d51f2554819e2f720da826dbd46ecce17a2dabc92d03efbbdec2c4b1b
Instruction ID: decd8dfdf918bd09bae5830721474d39467b989af18fceb44e02528be28c0f30
Opcode Fuzzy Hash: 9e6f7d4d51f2554819e2f720da826dbd46ecce17a2dabc92d03efbbdec2c4b1b
Instruction Fuzzy Hash: 066168B65043059FCB10EF64D840AAEB3E8FFC9314F04891EF99997251EB35E945CB92

Function 00A3D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009D3A97,?,?,009D2E7F,?,?,?,00000000), ref: 009D3AC2

Part of subcall function 00A3E199: GetFileAttributesW.KERNEL32(?,00A3CF95), ref: 00A3E19A

FindFirstFileW.KERNEL32(?,?), ref: 00A3D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00A3D1DD
MoveFileW.KERNEL32(?,?), ref: 00A3D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A3D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A3D237

Part of subcall function 00A3D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00A3D21C,?,?), ref: 00A3D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00A3D253
FindClose.KERNEL32(00000000), ref: 00A3D264

Strings

\*.*, xrefs: 00A3D0CD, 00A3D0D6, 00A3D0EB

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 014e2070cfd360be76b7afc60f56f540719473dc9d52b82b054c5026e8507f2b
Instruction ID: 28ee68be3f1dd61557f17c78ab35086cd04fa8f509820964653d54dd7c57e3f8
Opcode Fuzzy Hash: 014e2070cfd360be76b7afc60f56f540719473dc9d52b82b054c5026e8507f2b
Instruction Fuzzy Hash: DD615C3194110DAFCF05EBE0EA92AEEB7B5AF55340F248166F40277291EB306F09DB61

Function 00A4ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00A4ED91
EmptyClipboard.USER32 ref: 00A4ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00A4EDAC
CloseClipboard.USER32 ref: 00A4EEA3

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 3576c0861ee07f786802d8ebd3cf77345e1f934aead2c35efbd6b9ed3e727930
Instruction ID: 540d16195b8ffed3812d13a827f0c798725ff2def8ffdef98eac39555e67f964
Opcode Fuzzy Hash: 3576c0861ee07f786802d8ebd3cf77345e1f934aead2c35efbd6b9ed3e727930
Instruction Fuzzy Hash: 8041CE39604611AFD710DF55D889B69BBF5FF84328F14C099E4558B762C7B1EC42CB90

Function 00A3E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00A316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A3170D
Part of subcall function 00A316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A3173A
Part of subcall function 00A316C3: GetLastError.KERNEL32 ref: 00A3174A

ExitWindowsEx.USER32(?,00000000), ref: 00A3E932

Strings

, xrefs: 00A3E920
@, xrefs: 00A3E925
, xrefs: 00A3E95C
SeShutdownPrivilege, xrefs: 00A3E902

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 7df19a9498c4459b8651ecee57aefe56dc248fe9dfc791eebc24d06c79cd79a6
Instruction ID: 6a17bdd55564dfbcac9dbed6f628282bc1d9ee9c9d2445538296b5d0e1963101
Opcode Fuzzy Hash: 7df19a9498c4459b8651ecee57aefe56dc248fe9dfc791eebc24d06c79cd79a6
Instruction Fuzzy Hash: 9001F972710211ABEB54A7F49C86FBFB27CAB14760F154822FC13F21D1D6A05C408390

Function 00A51204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00A51276
WSAGetLastError.WSOCK32 ref: 00A51283
bind.WSOCK32(00000000,?,00000010), ref: 00A512BA
WSAGetLastError.WSOCK32 ref: 00A512C5
closesocket.WSOCK32(00000000), ref: 00A512F4
listen.WSOCK32(00000000,00000005), ref: 00A51303
WSAGetLastError.WSOCK32 ref: 00A5130D
closesocket.WSOCK32(00000000), ref: 00A5133C

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: e03a50d01676033f4baf036f2f81df4163b051de8f55232ed240c63b36e154bd
Instruction ID: 372900b59660c5fe5b2152510e7f5f6398c8168607510c38dd4c7d4c1b6a8ac0
Opcode Fuzzy Hash: e03a50d01676033f4baf036f2f81df4163b051de8f55232ed240c63b36e154bd
Instruction Fuzzy Hash: 35418E316001019FD720DF64D488B79BBF5BF86329F188199E8569F292C775EC86CBE1

Function 00A0B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A0B9D4
_free.LIBCMT ref: 00A0B9F8
_free.LIBCMT ref: 00A0BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00A73700), ref: 00A0BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00AA121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00A0BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00AA1270,000000FF,?,0000003F,00000000,?), ref: 00A0BC36
_free.LIBCMT ref: 00A0BD4B

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: e7319c1c0b25f6ccf22dea20b63ee5642372b20d0e759011791b2b785792d079
Instruction ID: 728f6ba9adb672db9b7b5e865ba8d1f4d1427e4d1a76bb5396313895899bcd29
Opcode Fuzzy Hash: e7319c1c0b25f6ccf22dea20b63ee5642372b20d0e759011791b2b785792d079
Instruction Fuzzy Hash: 8BC11B71A1420DAFDB10DF68AE41BAABBB8EF46350F24416AE594D72D1E7309E41C770

Function 00A3D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009D3A97,?,?,009D2E7F,?,?,?,00000000), ref: 009D3AC2

Part of subcall function 00A3E199: GetFileAttributesW.KERNEL32(?,00A3CF95), ref: 00A3E19A

FindFirstFileW.KERNEL32(?,?), ref: 00A3D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A3D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A3D481
FindClose.KERNEL32(00000000), ref: 00A3D498
FindClose.KERNEL32(00000000), ref: 00A3D4A1

Strings

\*.*, xrefs: 00A3D3F2

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 5d663cb7bebfea67c5b5594f93925a6d431d94bff878b6b0bceac773c0a78cbe
Instruction ID: 301e2000519f4674f60a675fa9f4021d0ec62eed34c61e16bf693a96c84a4af8
Opcode Fuzzy Hash: 5d663cb7bebfea67c5b5594f93925a6d431d94bff878b6b0bceac773c0a78cbe
Instruction Fuzzy Hash: 9B317E71048341AFC301EF64D8919AFB7E8AED1354F448A1EF4E193291EB30AA19D763

Function 00A0E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00A0E645

Strings

1#SNAN, xrefs: 00A0F844
1#INF, xrefs: 00A0F852
1#QNAN, xrefs: 00A0F84B
1#IND, xrefs: 00A0F83D

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: bb0bbe6fff637cf80073ee6ee6be80e714b0d567cf3ae3fd7904208fa6062baa
Instruction ID: f6bfb6013dc298ceda7aaa6d9c44f7590a876f0c47ba68ea300d73a4b5c3f363
Opcode Fuzzy Hash: bb0bbe6fff637cf80073ee6ee6be80e714b0d567cf3ae3fd7904208fa6062baa
Instruction Fuzzy Hash: 7FC22971E0462C8FDB25CF28AD407EAB7B5EB88305F1445EAD84DE7280E775AE859F40

Function 00A4648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A464DC
CoInitialize.OLE32(00000000), ref: 00A46639
CoCreateInstance.OLE32(00A6FCF8,00000000,00000001,00A6FB68,?), ref: 00A46650
CoUninitialize.OLE32 ref: 00A468D4

Strings

.lnk, xrefs: 00A464BA, 00A46524, 00A465E0

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: ceb1bd05d5400c0f1a566edb14331e321a92196010211c79f7d2f6c8e4e5e65e
Instruction ID: f47e5c51f72d7c789c499f3ca73de42c978228e6b8b37354d7ae9ac23663c757
Opcode Fuzzy Hash: ceb1bd05d5400c0f1a566edb14331e321a92196010211c79f7d2f6c8e4e5e65e
Instruction Fuzzy Hash: 87D14971648201AFC314EF24C881A6BB7E8FFD5704F50896DF5958B2A1EB70ED05CB92

Function 00A522DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00A522E8

Part of subcall function 00A4E4EC: GetWindowRect.USER32(?,?), ref: 00A4E504

GetDesktopWindow.USER32 ref: 00A52312
GetWindowRect.USER32(00000000), ref: 00A52319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00A52355
GetCursorPos.USER32(?), ref: 00A52381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A523DF

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 2c6367c50a846f6963faba7ef481988efa0982f71066ce012b8a77d13a9c970f
Instruction ID: bbf96574775c64bdb2b9806ff7b72f0e536ed3883a531a7833d73cc2c09bcf78
Opcode Fuzzy Hash: 2c6367c50a846f6963faba7ef481988efa0982f71066ce012b8a77d13a9c970f
Instruction Fuzzy Hash: E331E072504315AFC720DF54CC49B6BBBA9FF85724F000919F9859B191DB74EA09CB92

Function 00A49B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00A49B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00A49C8B

Part of subcall function 00A43874: GetInputState.USER32 ref: 00A438CB
Part of subcall function 00A43874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A43966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00A49BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00A49C75

Strings

*.*, xrefs: 00A49B5D

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 53f3ee0d42bf8c74c87b7362a252c74514486925108377b71b419f0bc6b730e7
Instruction ID: ff940831b8860eb9b4024b5eebfdfaebc8b31cb8944e1dda47ef5c3c3e4a8fae
Opcode Fuzzy Hash: 53f3ee0d42bf8c74c87b7362a252c74514486925108377b71b419f0bc6b730e7
Instruction Fuzzy Hash: 0B41927594020AAFCF14EFA4C985AEFBBB4FF85311F208156E815A2291EB309E55CF61

Function 009E997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 009E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009E9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 009E9A4E
GetSysColor.USER32(0000000F), ref: 009E9B23
SetBkColor.GDI32(?,00000000), ref: 009E9B36

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 524a78ba2cca70f688b09dc967f9ad12fed27e7ea84d7090f2e4f6238da4db74
Instruction ID: 8093d3242986c269a7530f3659a00e87755fd13160b617d6c32a2f0cf69f0341
Opcode Fuzzy Hash: 524a78ba2cca70f688b09dc967f9ad12fed27e7ea84d7090f2e4f6238da4db74
Instruction Fuzzy Hash: 54A119701085A4BEE72ADB3E9C58E7F266DDF86344F140629F502DA6D1CB29DE01D272

Function 00A51806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5304E: inet_addr.WSOCK32(?), ref: 00A5307A
Part of subcall function 00A5304E: _wcslen.LIBCMT ref: 00A5309B

socket.WSOCK32(00000002,00000002,00000011), ref: 00A5185D
WSAGetLastError.WSOCK32 ref: 00A51884
bind.WSOCK32(00000000,?,00000010), ref: 00A518DB
WSAGetLastError.WSOCK32 ref: 00A518E6
closesocket.WSOCK32(00000000), ref: 00A51915

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: d46672189a63c461e6feb08e43f0d27c295e2e3d3723c2b004dab48205e2dfa9
Instruction ID: 4f4a797983c42be8199f7cb9d3698d432e9861383325f90e8e378e3a049fa052
Opcode Fuzzy Hash: d46672189a63c461e6feb08e43f0d27c295e2e3d3723c2b004dab48205e2dfa9
Instruction Fuzzy Hash: D351A071A40200AFDB20AF64C886F7AB7E5AB84718F088459F945AF3D3D671AD41CBA1

Function 00A61C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00A61CC0
IsWindowEnabled.USER32 ref: 00A61CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00A61CDB
IsIconic.USER32 ref: 00A61CE9
IsZoomed.USER32 ref: 00A61CF7

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 9d3b11a391575459a9e9efadcf6c0e60cdd7f98f098ff2ab86e8ea22c544a4da
Instruction ID: 6d2607f7270b3c6e10fc19d6f1e4d78019bfbb66c9ac0da7555e5a426b1f400b
Opcode Fuzzy Hash: 9d3b11a391575459a9e9efadcf6c0e60cdd7f98f098ff2ab86e8ea22c544a4da
Instruction Fuzzy Hash: 4621A1317806119FD7209F2AC884B6A7FF5EF95325B1D8469E886CB351DBB1EC42CB90

Function 009D8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 009D813C
VUUU, xrefs: 009D843C
VUUU, xrefs: 009D83E8
VUUU, xrefs: 009D83FA
VUUU, xrefs: 00A15DF0

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 25bd19452b70e6ebfffe43b0a566b9a272e3f5babf3258f575880e92c2e03d0c
Instruction ID: 43216bce54cef42f4f17424bb68abdf796fe05fb2fdcfcf0a8b3893aed4cf438
Opcode Fuzzy Hash: 25bd19452b70e6ebfffe43b0a566b9a272e3f5babf3258f575880e92c2e03d0c
Instruction Fuzzy Hash: DFA26D71E4061ACBDF24CF58C9407EEB7B1BB94310F2485AAE815AB385EB749DC1CB90

Function 00A3AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00A3AAAC
SetKeyboardState.USER32(00000080), ref: 00A3AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00A3AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00A3AB88

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 84c246fa94fcfd7a689b29011e945d7e8a1e6037227fa735770081620cb9b766
Instruction ID: 017d621bb410f30e83962d6194a31aa5d6ba2dad04c81a1b7edeaec269bb104c
Opcode Fuzzy Hash: 84c246fa94fcfd7a689b29011e945d7e8a1e6037227fa735770081620cb9b766
Instruction Fuzzy Hash: 15310531A40268AEEB35CF64CC05BFABBBAAB64320F04421AF1D1961D1D3748D81C763

Function 00A4CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00A4CE89
GetLastError.KERNEL32(?,00000000), ref: 00A4CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00A4CEFE

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 1990c420d8341941b6328541eed5c725f7629fdf1881dd4f7f1527a3f0e4d1b6
Instruction ID: 7fd5cbf3a1a30f4d70fc9982c011d4134d7ee88c18b36116420cea8932b337a4
Opcode Fuzzy Hash: 1990c420d8341941b6328541eed5c725f7629fdf1881dd4f7f1527a3f0e4d1b6
Instruction Fuzzy Hash: 4A21CFB5501305ABDB60DFA5C949BA7B7FCEF80364F10442EE64AD2151E774EE098B50

Function 00A38298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00A382AA

Strings

|, xrefs: 00A382DA
(, xrefs: 00A382F0

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 77762756bc2c87998ad205022a11db5438c5d1b59d81b43bc179761440ed31f6
Instruction ID: 9aad9a2012bafa93c2f1fe4ac379c9245f079b48b390a9e6f9d40e58fb1bb770
Opcode Fuzzy Hash: 77762756bc2c87998ad205022a11db5438c5d1b59d81b43bc179761440ed31f6
Instruction Fuzzy Hash: 21323475A007059FCB28CF69C481AAAB7F0FF48710B15856EE49ADB3A1EB74E941CB40

Function 00A45C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A45CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00A45D17
FindClose.KERNEL32(?), ref: 00A45D5F

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 8cfa7e81f26c46eb681bec1109d5d71893c06a37b86f664b19b6c806c97478ff
Instruction ID: 4889db78dbb70858afe36a9c572e3aa66c361f2bf2a60260d6afcd36b560bb65
Opcode Fuzzy Hash: 8cfa7e81f26c46eb681bec1109d5d71893c06a37b86f664b19b6c806c97478ff
Instruction Fuzzy Hash: E3517E78A046019FC714DF28C494E96B7E4FF89324F14855EE99A8B3A2DB30ED45CF91

Function 00A02622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00A0271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A02724
UnhandledExceptionFilter.KERNEL32(?), ref: 00A02731

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 5dcbc62589d6fd1931d59d2ab1d348e30a1f67283c51c0215f320b86388d64c0
Instruction ID: a66cde748c51c9d1ff895cf4582a717ce14f79b5d6079cc9763cdf558c3fadd7
Opcode Fuzzy Hash: 5dcbc62589d6fd1931d59d2ab1d348e30a1f67283c51c0215f320b86388d64c0
Instruction Fuzzy Hash: 5931C27491131CABCB21DF68DD89798BBB8BF48310F5041EAE90CA72A1E7709F818F44

Function 00A451CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A451DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00A45238
SetErrorMode.KERNEL32(00000000), ref: 00A452A1

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 22dbc450c5f84da60773cf76746802bc273f66b9d26437588f1e986054cb226c
Instruction ID: 41953e7e6e6a39e1032d8e1225b8be20c55ac6b09d646f72f3ade1a7568b3ed6
Opcode Fuzzy Hash: 22dbc450c5f84da60773cf76746802bc273f66b9d26437588f1e986054cb226c
Instruction Fuzzy Hash: 0F314B75A00518DFDB00DFA4D884EEDBBB4FF49314F04809AE845AB362DB71E856CB90

Function 00A316C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 009EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 009F0668
Part of subcall function 009EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 009F0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A3170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A3173A
GetLastError.KERNEL32 ref: 00A3174A

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: d9022129e1f831abb6cbfca2506732074d03a10cfa85152750775277b6e3fdfe
Instruction ID: cb6b7b082b429d6339df1c847ce313c2a216f8d9b22129c6bdf32b57d35fcbc7
Opcode Fuzzy Hash: d9022129e1f831abb6cbfca2506732074d03a10cfa85152750775277b6e3fdfe
Instruction Fuzzy Hash: CF11C1B2404305AFD718EF54EC86E6ABBBDEB44764B24852EF05657681EB70BC428A60

Function 00A3D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A3D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00A3D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A3D650

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 792d85a4b1b068c669c3110c91d3c1c404a51fb1a1632f0149ea5444af62a0ee
Instruction ID: 29adb7736e4f5855a0e9871849ac912109c38f0dd8f14159189ad39c29b93b3f
Opcode Fuzzy Hash: 792d85a4b1b068c669c3110c91d3c1c404a51fb1a1632f0149ea5444af62a0ee
Instruction Fuzzy Hash: 4F115E75E05228BFDB10CFA5EC45FAFBBBCEB45B60F108115F914E7290D6B05A058BA1

Function 00A31663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00A3168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A316A1
FreeSid.ADVAPI32(?), ref: 00A316B1

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 0c319d59c3379eb6b4132eb8b1b2334015bcef1a8ae6c07f86f61aaf0fe640c0
Instruction ID: b4804313222cb2dcd1a39dc7b3178e22a0267360d2ca25df2738273a40eb4d02
Opcode Fuzzy Hash: 0c319d59c3379eb6b4132eb8b1b2334015bcef1a8ae6c07f86f61aaf0fe640c0
Instruction Fuzzy Hash: B2F0F471950309FBDB00DFE49D89AAEBBBCEB08614F504565E601E2181E774AA448A50

Function 00A0C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00A0C36C

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 8fdb4a7330191f02638565750680c018d135aca211c2526f67af1a1efe0fe546
Instruction ID: 71e459649ec7f87255563eec648305b18f42e682369c1ec1662faf383795ab68
Opcode Fuzzy Hash: 8fdb4a7330191f02638565750680c018d135aca211c2526f67af1a1efe0fe546
Instruction Fuzzy Hash: F941297290021DAFCB20EFB9EC89EBBB778EB84724F104269F905DB1C0E6719D418B50

Function 00A2D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00A2D28C

Strings

X64, xrefs: 00A2D2A8

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 68ec076f855a5768a883301668cd0e632f0bdd3fe25e95639691c576149bb783
Instruction ID: 606a7f7a5a358e06c06b70143f6a135d45633d7073a2631fc48bef7f3255120e
Opcode Fuzzy Hash: 68ec076f855a5768a883301668cd0e632f0bdd3fe25e95639691c576149bb783
Instruction Fuzzy Hash: D1D0C9B480112DEACB95CB90EC88DD9B37CBB04306F100551F106A2000D77495498F20

Function 009FCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: d7531909c508c1026b52dfd409a0dbb02259e4a3be363b2109791a9c4caf14c3
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 03020AB1E0021D9BDF14CFA9C9806ADFBB5EF88314F25856AD919E7380D731AE418B94

Function 00A468EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A46918
FindClose.KERNEL32(00000000), ref: 00A46961

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a73cbaf4f3a169e3d4267de3a22e35c3074d4b6b3ea70143a009f8876ed2a7c0
Instruction ID: 3e4e7e966f36d0fdc1efb9ceeaf76820a97f2f431ba0c0d9e91666096be405f0
Opcode Fuzzy Hash: a73cbaf4f3a169e3d4267de3a22e35c3074d4b6b3ea70143a009f8876ed2a7c0
Instruction Fuzzy Hash: 2C1190756042019FC710DF69D484A26BBE5FF85328F14C69AF8698F3A2D770EC05CB91

Function 00A437B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00A54891,?,?,00000035,?), ref: 00A437E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00A54891,?,?,00000035,?), ref: 00A437F4

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: d4e77e90c43671ba0f29a1e97fef9c6c73d81bc60c7bfe30ba2386b4649a510e
Instruction ID: f49982b552f517e2d68b4df0bdc68a84eef8186c7ea5bd21ab07ded331a0ce7b
Opcode Fuzzy Hash: d4e77e90c43671ba0f29a1e97fef9c6c73d81bc60c7bfe30ba2386b4649a510e
Instruction Fuzzy Hash: 8DF055B16002282AEB60A3B68C4DFEB3AAEEFC4770F000122F509D2280C9A08904C6B0

Function 00A3B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00A3B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00A3B270

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 40508798b1446898c4ce9fa9d7d63e31886f7638596f78aa4b1f9f46df4369d3
Instruction ID: 642e97b2d93f2fb2afc97ad9d535311ba4ebb396cd866d669b22dfe9c39d864c
Opcode Fuzzy Hash: 40508798b1446898c4ce9fa9d7d63e31886f7638596f78aa4b1f9f46df4369d3
Instruction Fuzzy Hash: B6F01D7181428DABDB05DFA1C806BFE7BB4FF04319F00800AFA65A5192C7B986119FA4

Function 00A310BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A311FC), ref: 00A310D4
CloseHandle.KERNEL32(?,?,00A311FC), ref: 00A310E9

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 203927a4e9a981218457a98e9ac44803c8ee7079226de5669a6cbc40b944aa34
Instruction ID: a719ac8639c49d3b8df54f887d1a2a0ea72f8a43b579d69ae56b003fb581c8e5
Opcode Fuzzy Hash: 203927a4e9a981218457a98e9ac44803c8ee7079226de5669a6cbc40b944aa34
Instruction Fuzzy Hash: DFE0BF72018651AEE7266B52FC05F777BA9EB04320F14882EF5A5844B1DBA26C91DB50

Function 009DCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00A20C40

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 8ee5bb89ad8638191e0369f8a6b895f1fdb930af0f520f0b9f0d209435282ed6
Instruction ID: 089576bb2ccf7a8b5731a8ede96dca9130fd53eca6dfe93c6ea38c5daf733e5b
Opcode Fuzzy Hash: 8ee5bb89ad8638191e0369f8a6b895f1fdb930af0f520f0b9f0d209435282ed6
Instruction Fuzzy Hash: 0D329BB4940219DBCF14DF98D980BEDB7B9FF45304F20846AE806AB392D775AE45CB60

Function 00A0676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A06766,?,?,00000008,?,?,00A0FEFE,00000000), ref: 00A06998

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 54645a5869ad040f42aba20d1b288d358d976105a5f4a7251b69a2e3e330a91a
Instruction ID: cb951d06e5b863583457103677bdbb0613b9084e6e37c07987e6c6ef23e35b41
Opcode Fuzzy Hash: 54645a5869ad040f42aba20d1b288d358d976105a5f4a7251b69a2e3e330a91a
Instruction Fuzzy Hash: 05B116316106099FD719CF28D48AB657BE0FF45368F29C658E899CF2E2C335E9A5CB40

Function 009EB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00A2851F

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b8543acf7ed1f87a85329bdb2ffc69a1e8003cac59b7c417ae172ed8e324a562
Instruction ID: 748d6557a36813e546b8bf79a58f250d6583a58179d2a30376089451997f281f
Opcode Fuzzy Hash: b8543acf7ed1f87a85329bdb2ffc69a1e8003cac59b7c417ae172ed8e324a562
Instruction Fuzzy Hash: 06127D719012299FCB25CF59D8816EEB7F5FF48710F1081AAE849EB255EB349E81CF90

Function 00A4EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00A4EABD

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 15d96cd31127404eeb97d1841b9f89025ae3d7fe7fe3baf7baf1615a3837267a
Instruction ID: a63404b70badcf75d69e3fcf27ae3c4cdfd34074be349d6296d056a1f699c212
Opcode Fuzzy Hash: 15d96cd31127404eeb97d1841b9f89025ae3d7fe7fe3baf7baf1615a3837267a
Instruction Fuzzy Hash: BEE01A352002059FC710EF59D804E9AB7E9BF987A1F008426FD49D7361DAB0A8418B90

Function 009F09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,009F03EE), ref: 009F09DA

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cc1b104cbf0bb6e40883acf9f7543933b4882cc3439e1ef28ba0a7443b1e8edb
Instruction ID: 57cc2ae823d6d51c8614b6e55260bba2e279cc887d5d852d9c247c06a23f6f86
Opcode Fuzzy Hash: cc1b104cbf0bb6e40883acf9f7543933b4882cc3439e1ef28ba0a7443b1e8edb
Instruction Fuzzy Hash:

Function 009F781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 009F798B

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 8ce1ac0f8c7de15b6e37762d0829a3980e10feb96bfe78ea636b006c1df8b4e1
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 32518B7160C70D6BDF3889E888DD7BFE79D9B52384F180909DB82C7282C655DE82D352

Function 00A06DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede86e366b8aced7b4d0f350f45053ae1d66da1b7b6bda3d7e3a5f070ab36c56
Instruction ID: 1abc0a6509fdfaa1ec49dc3ff5116b55add24d2db83180ae529e28c89071f584
Opcode Fuzzy Hash: ede86e366b8aced7b4d0f350f45053ae1d66da1b7b6bda3d7e3a5f070ab36c56
Instruction Fuzzy Hash: D3322422D29F054DD7239634EC22339A689AFB73C5F15D737E81AB59A6EB39D4C34200

Function 009ECC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74d0e8fa8a54fed19c65f24cf578b41461e42e37b1a77db44d39debf0f88541
Instruction ID: f5cab4f3078a07f04082c48476eb2cc19a8be7005c44c293b823d39e005301f4
Opcode Fuzzy Hash: a74d0e8fa8a54fed19c65f24cf578b41461e42e37b1a77db44d39debf0f88541
Instruction Fuzzy Hash: A1322872A001A58BDF29CF2DE490A7D77B2EF45360F388576E4C99B291D234DD82DB40

Function 009D7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dfe89f08660e09ca3c5dd50b99617ba19dc7cb54ade114657d7304b4f1904dc
Instruction ID: 89cdb95be2dc24848988462f8ab8b50a87bd801dc52464052cabd0e2dc3dac11
Opcode Fuzzy Hash: 8dfe89f08660e09ca3c5dd50b99617ba19dc7cb54ade114657d7304b4f1904dc
Instruction Fuzzy Hash: 78228F70E04609DFDF14CFA5D941AEEB7B6FF84300F14852AE816AB291EB399D51CB50

Function 009D91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2143b560b587da76c87da769bce498e6f0f17026065e0ee3a5f434f099024c2
Instruction ID: 5378150c8dfc1caad9a9801410dc5905bc04ed28895b8bf5e1d76a637a6a9a35
Opcode Fuzzy Hash: f2143b560b587da76c87da769bce498e6f0f17026065e0ee3a5f434f099024c2
Instruction Fuzzy Hash: 3F02A4B1E00209EBDB05DF55D881BAEB7B5FF44340F10816AE8169B391EB35AE61CBD1

Function 00A09EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27bd4d3db0404342607060dbbe40ba3b542480a0ec135e292f9dac27746fa685
Instruction ID: c38c9135f20a37a2d82cc976c002461ffbff922ab0951f788c8d09a31c1c6c8a
Opcode Fuzzy Hash: 27bd4d3db0404342607060dbbe40ba3b542480a0ec135e292f9dac27746fa685
Instruction Fuzzy Hash: A5B1F221D2AF414DC62396398C31336B65CAFBB6D5F92D31BFC2A78D62EB2285C35141

Function 009F1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 3671b91a7183bafecde63bdef0eca62aa389d7f736089a33c97449b5ac2bccef
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 4E9186726080A78ADB2D463E857403EFFF55A923B131A0B9ED5F2CA1C5FE24C954D7A0

Function 009F1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: e1bb2978ce5b1b24c7c26f2908e55a07ad6c321a2d9e2b0e6bd126e29d610233
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 6E91547320D0A74ADB29433A857413EFFE59A923B131E079ED6F2CB1C5EE248564E760

Function 009F19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 051e533bed8ac7e1f0c6f54b86c300cfcd76fa9951f99461dc53ce15c036c1bc
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: C891B3322090E7CADB2D427A847403EFFE55A923B231A079ED5F2CA1C5FE24C564D7A0

Function 009F7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb468fadbdba21fd780c4f361b68b1426f805675ebed094ec2a2672376af0eb
Instruction ID: 9560952bcdbd153b7f8b306c6ab6f05b58c01dcc18d6ade50d509762ed552328
Opcode Fuzzy Hash: 3bb468fadbdba21fd780c4f361b68b1426f805675ebed094ec2a2672376af0eb
Instruction Fuzzy Hash: 6961573120870D96EA349AEC8C95BBFE39CDF82711F100D1AEB82DB281DA55DE42C315

Function 009F7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17a26b97b6300b52376bd9307696e9a4cc293dfd33e63d8ad7e8daf5000604f
Instruction ID: 01a5d74bd978aac1544f33e155074ff8d4762173e84daf9050a6f03d44673c91
Opcode Fuzzy Hash: e17a26b97b6300b52376bd9307696e9a4cc293dfd33e63d8ad7e8daf5000604f
Instruction Fuzzy Hash: 9D618A3160870D67DE384AE85895BBFE38DEF82704FA00D5AEB42CB2D1DA56DD42C315

Function 009F1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 366e9d02b70b22214f67eb16e683007ca79cf5ba59c08333091cd32086f3f44b
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 5B8186326080E78ADB2D827A853407EFFE55A923B131A079ED5F6CB1C1EE24D554E7A0

Function 00A42046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11349d656394f9e7e25e73b528ebc04a6fc055a65f757aa3f9beeb581d074d18
Instruction ID: 4c3425b3ee1859e88e9d2f88122886608663ac85cffe3c83d0a974040d91b83b
Opcode Fuzzy Hash: 11349d656394f9e7e25e73b528ebc04a6fc055a65f757aa3f9beeb581d074d18
Instruction Fuzzy Hash: 732193326216158BD728CF79C82277E73E5A794310F55862EE4A7C37D0DE35AD04CB80

Function 00A52ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A52B30
DeleteObject.GDI32(00000000), ref: 00A52B43
DestroyWindow.USER32 ref: 00A52B52
GetDesktopWindow.USER32 ref: 00A52B6D
GetWindowRect.USER32(00000000), ref: 00A52B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00A52CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00A52CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A52CF8
GetClientRect.USER32(00000000,?), ref: 00A52D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A52D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A52D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A52D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A52D80
GlobalLock.KERNEL32(00000000), ref: 00A52D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A52D98
GlobalUnlock.KERNEL32(00000000), ref: 00A52DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A52DA8
GlobalFree.KERNEL32(00000000), ref: 00A52DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A52DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00A6FC38,00000000), ref: 00A52DDB
GlobalFree.KERNEL32(00000000), ref: 00A52DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00A52E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00A52E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A52E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A5303F

Strings

static, xrefs: 00A52D3A, 00A52E91
, xrefs: 00A52FC5
AutoIt v3, xrefs: 00A52CF2
DISPLAY, xrefs: 00A52EA2

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 43bad085e2d634231e8dbd4b384da03842a355ca6716d76d5efcd67215799a11
Instruction ID: aa2f2a90181ed227b2234dc59b11fd0bc2f9c899f6fa4dc11e30300cd423841f
Opcode Fuzzy Hash: 43bad085e2d634231e8dbd4b384da03842a355ca6716d76d5efcd67215799a11
Instruction Fuzzy Hash: 98029B75A00205EFDB14DFA4DC89EAE7BB9FF49321F008119F915AB2A1DB74AD05CB60

Function 00A670D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00A6712F
GetSysColorBrush.USER32(0000000F), ref: 00A67160
GetSysColor.USER32(0000000F), ref: 00A6716C
SetBkColor.GDI32(?,000000FF), ref: 00A67186
SelectObject.GDI32(?,?), ref: 00A67195
InflateRect.USER32(?,000000FF,000000FF), ref: 00A671C0
GetSysColor.USER32(00000010), ref: 00A671C8
CreateSolidBrush.GDI32(00000000), ref: 00A671CF
FrameRect.USER32(?,?,00000000), ref: 00A671DE
DeleteObject.GDI32(00000000), ref: 00A671E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00A67230
FillRect.USER32(?,?,?), ref: 00A67262
GetWindowLongW.USER32(?,000000F0), ref: 00A67284

Part of subcall function 00A673E8: GetSysColor.USER32(00000012), ref: 00A67421
Part of subcall function 00A673E8: SetTextColor.GDI32(?,?), ref: 00A67425
Part of subcall function 00A673E8: GetSysColorBrush.USER32(0000000F), ref: 00A6743B
Part of subcall function 00A673E8: GetSysColor.USER32(0000000F), ref: 00A67446
Part of subcall function 00A673E8: GetSysColor.USER32(00000011), ref: 00A67463
Part of subcall function 00A673E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A67471
Part of subcall function 00A673E8: SelectObject.GDI32(?,00000000), ref: 00A67482
Part of subcall function 00A673E8: SetBkColor.GDI32(?,00000000), ref: 00A6748B
Part of subcall function 00A673E8: SelectObject.GDI32(?,?), ref: 00A67498
Part of subcall function 00A673E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00A674B7
Part of subcall function 00A673E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A674CE
Part of subcall function 00A673E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00A674DB

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 9672b71eb34ffc32fbcb5172ce9619421c8b66606103b831fb0056d865686296
Instruction ID: 178f2bdb788fd694994e8190c90b84c1064db204a5f7db90eced149532cb65e9
Opcode Fuzzy Hash: 9672b71eb34ffc32fbcb5172ce9619421c8b66606103b831fb0056d865686296
Instruction Fuzzy Hash: 28A17F72008301AFDB01DFA0DC48A6E7BB9FB89334F100B19F9A2961E1D7B5E945CB51

Function 009E8D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 009E8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00A26AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00A26AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00A26F43

Part of subcall function 009E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,009E8BE8,?,00000000,?,?,?,?,009E8BBA,00000000,?), ref: 009E8FC5

SendMessageW.USER32(?,00001053), ref: 00A26F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00A26F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00A26FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00A26FB7

Strings

0, xrefs: 00A26DCF
V, xrefs: 009E8DC2, 00A26ADC, 00A26B10, 00A26B5F, 00A26B9F, 00A26C47, 00A26CE8, 00A26D8C, 00A26E18, 00A26EEF, 00A26F15, 00A26FC8

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$V
API String ID: 2760611726-3648174478
Opcode ID: c86f7494a668c757a5784dfb579f2c6397f492c45093b40015c2fd21aeb63e16
Instruction ID: 5b0226eb15be789dc305393cbce168d55c021cc19d1f2ce190111d759b2038bf
Opcode Fuzzy Hash: c86f7494a668c757a5784dfb579f2c6397f492c45093b40015c2fd21aeb63e16
Instruction Fuzzy Hash: B812CE30202261EFDB26DF58E944BAAB7F5FB45310F14846DF4898B2A1CB35EC52DB91

Function 00A52711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00A5273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00A5286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00A528A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00A528B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00A52900
GetClientRect.USER32(00000000,?), ref: 00A5290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00A52955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A52964
GetStockObject.GDI32(00000011), ref: 00A52974
SelectObject.GDI32(00000000,00000000), ref: 00A52978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00A52988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A52991
DeleteDC.GDI32(00000000), ref: 00A5299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00A529C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00A529DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00A52A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00A52A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00A52A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00A52A77
GetStockObject.GDI32(00000011), ref: 00A52A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00A52A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00A52A97

Strings

static, xrefs: 00A5294F, 00A52A71
msctls_progress32, xrefs: 00A52A13
AutoIt v3, xrefs: 00A528F8
DISPLAY, xrefs: 00A5295A

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: c763c8048c0cdbcbf4baf2c197311dd5499be281aa77e175be03ca54ae0e8e73
Instruction ID: 22771be28484c87a66a3264b395a6ae971f0f00dcf9255797fdb768d2f437236
Opcode Fuzzy Hash: c763c8048c0cdbcbf4baf2c197311dd5499be281aa77e175be03ca54ae0e8e73
Instruction Fuzzy Hash: BCB14971A40215BFEB14DFA8DC49FAABBB9FB49711F008115F914EB290D7B4AD41CBA0

Function 00A44ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A44AED
GetDriveTypeW.KERNEL32(?,00A6CB68,?,\\.\,00A6CC08), ref: 00A44BCA
SetErrorMode.KERNEL32(00000000,00A6CB68,?,\\.\,00A6CC08), ref: 00A44D36

Strings

SSA, xrefs: 00A44CA6
ATAPI, xrefs: 00A44C91
ATA, xrefs: 00A44C98
Unknown, xrefs: 00A44BED, 00A44C83
Fibre, xrefs: 00A44CAD
Network, xrefs: 00A44C02
FileBackedVirtual, xrefs: 00A44CEC
RAID, xrefs: 00A44CBB
CDROM, xrefs: 00A44BFB
MMC, xrefs: 00A44CDE
SCSI, xrefs: 00A44C8A
RAMDisk, xrefs: 00A44BF4
SAS, xrefs: 00A44CC9
\\.\, xrefs: 00A44B3F
SATA, xrefs: 00A44CD0
Virtual, xrefs: 00A44CE5
iSCSI, xrefs: 00A44CC2
Removable, xrefs: 00A44C10, 00A44C15
PhysicalDrive, xrefs: 00A44B76
1394, xrefs: 00A44C9F
SSD, xrefs: 00A44C4A
Fixed, xrefs: 00A44C09
USB, xrefs: 00A44CB4

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 5497d99a7f8021d94dff78a54882324676af909d2c093735cd0a76f1f7051b93
Instruction ID: 835429ed43b92280fd425f9be3093fec2324ac560e90c91f5dd385073bde972d
Opcode Fuzzy Hash: 5497d99a7f8021d94dff78a54882324676af909d2c093735cd0a76f1f7051b93
Instruction Fuzzy Hash: 2161AE38745506ABCF04DF64CAC2B68B7B0FF8C349B288816F806AB291DB35ED41DB41

Function 00A673E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00A67421
SetTextColor.GDI32(?,?), ref: 00A67425
GetSysColorBrush.USER32(0000000F), ref: 00A6743B
GetSysColor.USER32(0000000F), ref: 00A67446
CreateSolidBrush.GDI32(?), ref: 00A6744B
GetSysColor.USER32(00000011), ref: 00A67463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A67471
SelectObject.GDI32(?,00000000), ref: 00A67482
SetBkColor.GDI32(?,00000000), ref: 00A6748B
SelectObject.GDI32(?,?), ref: 00A67498
InflateRect.USER32(?,000000FF,000000FF), ref: 00A674B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A674CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00A674DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A6752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A67554
InflateRect.USER32(?,000000FD,000000FD), ref: 00A67572
DrawFocusRect.USER32(?,?), ref: 00A6757D
GetSysColor.USER32(00000011), ref: 00A6758E
SetTextColor.GDI32(?,00000000), ref: 00A67596
DrawTextW.USER32(?,00A670F5,000000FF,?,00000000), ref: 00A675A8
SelectObject.GDI32(?,?), ref: 00A675BF
DeleteObject.GDI32(?), ref: 00A675CA
SelectObject.GDI32(?,?), ref: 00A675D0
DeleteObject.GDI32(?), ref: 00A675D5
SetTextColor.GDI32(?,?), ref: 00A675DB
SetBkColor.GDI32(?,?), ref: 00A675E5

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 7b6f0a9ad1415ffe9b5beb9daa725c685a213651a306f06c1c533d221dd91a4c
Instruction ID: f6f2b4d0fafc4c458f27990f4756828ecfa4b4ce128bf9274de35cdf95965fd4
Opcode Fuzzy Hash: 7b6f0a9ad1415ffe9b5beb9daa725c685a213651a306f06c1c533d221dd91a4c
Instruction Fuzzy Hash: 43615D76900218AFDF01DFA4DC49EAE7FB9EB09320F114225F916AB2A1D7B49941CB90

Function 00A60FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A61128
GetDesktopWindow.USER32 ref: 00A6113D
GetWindowRect.USER32(00000000), ref: 00A61144
GetWindowLongW.USER32(?,000000F0), ref: 00A61199
DestroyWindow.USER32(?), ref: 00A611B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A611ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A6120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A6121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00A61232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00A61245
IsWindowVisible.USER32(00000000), ref: 00A612A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00A612BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00A612D0
GetWindowRect.USER32(00000000,?), ref: 00A612E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00A6130E
GetMonitorInfoW.USER32(00000000,?), ref: 00A61328
CopyRect.USER32(?,?), ref: 00A6133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00A613AA

Strings

tooltips_class32, xrefs: 00A611E6
0, xrefs: 00A610D3
(, xrefs: 00A6131B

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: aefaaaaf609bc3cb08b7c85d320c9c7f91d7b000b021ca675a6871c453dd9f46
Instruction ID: b324778575bd9ec2b9c64f449289921829f0f2e607aca980cc060732aabbe9ba
Opcode Fuzzy Hash: aefaaaaf609bc3cb08b7c85d320c9c7f91d7b000b021ca675a6871c453dd9f46
Instruction Fuzzy Hash: 2BB18B71608341AFDB00DF65C884B6ABBF4FF88354F04891DF99A9B2A1D771E845CB92

Function 00A60241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A602E5
_wcslen.LIBCMT ref: 00A6031F
_wcslen.LIBCMT ref: 00A60389
_wcslen.LIBCMT ref: 00A603F1
_wcslen.LIBCMT ref: 00A60475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00A604C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A60504

Part of subcall function 009EF9F2: _wcslen.LIBCMT ref: 009EF9FD

Part of subcall function 00A3223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A32258
Part of subcall function 00A3223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A3228A

Strings

SELECTALL, xrefs: 00A60515
FINDITEM, xrefs: 00A60627
ISSELECTED, xrefs: 00A604DD
GETSELECTED, xrefs: 00A605E1
SELECTINVERT, xrefs: 00A6057E
GETTEXT, xrefs: 00A603EC, 00A60407
GETSUBITEMCOUNT, xrefs: 00A60384, 00A6039F
GETITEMCOUNT, xrefs: 00A60316, 00A60337
VIEWCHANGE, xrefs: 00A60675
DESELECT, xrefs: 00A6059C
SELECTCLEAR, xrefs: 00A6052D
SELECT, xrefs: 00A60548
GETSELECTEDCOUNT, xrefs: 00A60470, 00A6048B

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 1ee4200dabd0085ec5e5008404a374fd60b12e9fdb40104522de8979713d5673
Instruction ID: 343cd9783a8dbf224ba555e6ca5166190a37740e13118b9e535f7d6bad6525e8
Opcode Fuzzy Hash: 1ee4200dabd0085ec5e5008404a374fd60b12e9fdb40104522de8979713d5673
Instruction Fuzzy Hash: 03E18B312182019BCB24DF24C55093BB7F6BFC8754B14895DF8969B3A1DB30ED85CB91

Function 009E8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009E8968
GetSystemMetrics.USER32(00000007), ref: 009E8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009E899B
GetSystemMetrics.USER32(00000008), ref: 009E89A3
GetSystemMetrics.USER32(00000004), ref: 009E89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 009E89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 009E89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 009E8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 009E8A3C
GetClientRect.USER32(00000000,000000FF), ref: 009E8A5A
GetStockObject.GDI32(00000011), ref: 009E8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 009E8A81

Part of subcall function 009E912D: GetCursorPos.USER32(?), ref: 009E9141
Part of subcall function 009E912D: ScreenToClient.USER32(00000000,?), ref: 009E915E
Part of subcall function 009E912D: GetAsyncKeyState.USER32(00000001), ref: 009E9183
Part of subcall function 009E912D: GetAsyncKeyState.USER32(00000002), ref: 009E919D

SetTimer.USER32(00000000,00000000,00000028,009E90FC), ref: 009E8AA8

Strings

AutoIt v3 GUI, xrefs: 009E8A20

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 762b7a3e4045d11667c6b4366db60ec972d69be4739cff38fe41cd3d5646c5cc
Instruction ID: db079aec5b7c1c12fd833b2e1dad94b32fbe037ee8f7087a16ad3444889d3aba
Opcode Fuzzy Hash: 762b7a3e4045d11667c6b4366db60ec972d69be4739cff38fe41cd3d5646c5cc
Instruction Fuzzy Hash: 66B17B35A4024AAFDB15DFA8DC85BAE3BB5FB48324F104229FA15A72D0DB74E841CB50

Function 00A30D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A31114
Part of subcall function 00A310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00A30B9B,?,?,?), ref: 00A31120
Part of subcall function 00A310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A30B9B,?,?,?), ref: 00A3112F
Part of subcall function 00A310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A30B9B,?,?,?), ref: 00A31136
Part of subcall function 00A310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A3114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A30DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A30E29
GetLengthSid.ADVAPI32(?), ref: 00A30E40
GetAce.ADVAPI32(?,00000000,?), ref: 00A30E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A30E96
GetLengthSid.ADVAPI32(?), ref: 00A30EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00A30EB5
HeapAlloc.KERNEL32(00000000), ref: 00A30EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A30EDD
CopySid.ADVAPI32(00000000), ref: 00A30EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A30F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A30F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A30F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A30F6E
HeapFree.KERNEL32(00000000), ref: 00A30F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A30F7E
HeapFree.KERNEL32(00000000), ref: 00A30F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A30F8E
HeapFree.KERNEL32(00000000), ref: 00A30F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00A30FA1
HeapFree.KERNEL32(00000000), ref: 00A30FA8

Part of subcall function 00A31193: GetProcessHeap.KERNEL32(00000008,00A30BB1,?,00000000,?,00A30BB1,?), ref: 00A311A1
Part of subcall function 00A31193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00A30BB1,?), ref: 00A311A8
Part of subcall function 00A31193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00A30BB1,?), ref: 00A311B7

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ac514760a2156318ed175c9e6e7992026678184f6ff877c14e8f66d1daa522a3
Instruction ID: bc3394c83d284d45fcdcd0b982faac86522a3464f6bfda01a2d88577c1bbf18d
Opcode Fuzzy Hash: ac514760a2156318ed175c9e6e7992026678184f6ff877c14e8f66d1daa522a3
Instruction Fuzzy Hash: 3D71787290021AEBDF20DFA4DD48FEEBBB8BF05310F148215F959E6191D7719A06CBA0

Function 00A5C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A5C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00A6CC08,00000000,?,00000000,?,?), ref: 00A5C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00A5C5A4
_wcslen.LIBCMT ref: 00A5C5F4
_wcslen.LIBCMT ref: 00A5C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00A5C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00A5C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00A5C84D
RegCloseKey.ADVAPI32(?), ref: 00A5C881
RegCloseKey.ADVAPI32(00000000), ref: 00A5C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00A5C960

Strings

REG_EXPAND_SZ, xrefs: 00A5C5CD
REG_DWORD, xrefs: 00A5C804
REG_SZ, xrefs: 00A5C644
REG_MULTI_SZ, xrefs: 00A5C6F5
REG_QWORD, xrefs: 00A5C8C3
REG_BINARY, xrefs: 00A5C913

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 2ac479faabfd7a04052486f0a4c4d000fde68eca606d9ad4dcd390cb0d39149c
Instruction ID: 6fc7999de6738bddd4a2f803b1e48259ad67899aef4f5f4ce322c4612ac51a4d
Opcode Fuzzy Hash: 2ac479faabfd7a04052486f0a4c4d000fde68eca606d9ad4dcd390cb0d39149c
Instruction Fuzzy Hash: BB124775604201AFDB14DF14C891B2AB7E5FF88725F04899DF88A9B3A2DB31ED45CB81

Function 00A6091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A609C6
_wcslen.LIBCMT ref: 00A60A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A60A54
_wcslen.LIBCMT ref: 00A60A8A
_wcslen.LIBCMT ref: 00A60B06
_wcslen.LIBCMT ref: 00A60B81

Part of subcall function 009EF9F2: _wcslen.LIBCMT ref: 009EF9FD

Part of subcall function 00A32BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A32BFA

Strings

UNCHECK, xrefs: 00A60D3E
GETSELECTED, xrefs: 00A60C4E
GETTOTALCOUNT, xrefs: 00A609F2, 00A60A17
EXISTS, xrefs: 00A60B7C, 00A60B97
EXPAND, xrefs: 00A60BF8
GETTEXT, xrefs: 00A60C97
CHECK, xrefs: 00A60A85, 00A60AA0
ISCHECKED, xrefs: 00A60CE1
SELECT, xrefs: 00A60D11
COLLAPSE, xrefs: 00A60B01, 00A60B1C
GETITEMCOUNT, xrefs: 00A60C1E

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 17786cdaf5c66bcfa2a5f43e427aeba91f51d85d2e7a9630d3f8bfc5c4756877
Instruction ID: dbe7150580a6889a5b16af70c1ceb8f23ff24b0cbeaead6e07bca898abc6ac44
Opcode Fuzzy Hash: 17786cdaf5c66bcfa2a5f43e427aeba91f51d85d2e7a9630d3f8bfc5c4756877
Instruction Fuzzy Hash: 01E178322087019FCB14DF64C450A2BB7F2BF98354B148A5DF8969B3A2D731ED85CB92

Function 00A5C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A5B6AE,?,?), ref: 00A5C9B5
_wcslen.LIBCMT ref: 00A5C9F1
_wcslen.LIBCMT ref: 00A5CA68
_wcslen.LIBCMT ref: 00A5CA9E
_wcslen.LIBCMT ref: 00A5CAF9
_wcslen.LIBCMT ref: 00A5CB2F
_wcslen.LIBCMT ref: 00A5CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00A5CA62, 00A5CA67
HKCR, xrefs: 00A5CB29, 00A5CB2E
HKEY_CLASSES_ROOT, xrefs: 00A5CAF3, 00A5CAF8
HKCC, xrefs: 00A5CBAC
HKCU, xrefs: 00A5CBCE
HKEY_CURRENT_USER, xrefs: 00A5CBBD
HKU, xrefs: 00A5CBF0
HKLM, xrefs: 00A5CA98, 00A5CA9D
HKEY_CURRENT_CONFIG, xrefs: 00A5CB79, 00A5CB7E
HKEY_USERS, xrefs: 00A5CBDF

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: b9a43efe96f5a81857a1fd5611a7ddcf1e07a28c89797faecfbb49d33086a5e2
Instruction ID: f7c20a0486924d98caf1bc59fe9580dccaaba2adf8ad175ca55ecfa51a0dac89
Opcode Fuzzy Hash: b9a43efe96f5a81857a1fd5611a7ddcf1e07a28c89797faecfbb49d33086a5e2
Instruction Fuzzy Hash: 8B71E63261022A8FCF10DF68CD516BF37A2BBA07B5B154529FD569B289E631CD49C3A0

Function 00A6833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A6835A
_wcslen.LIBCMT ref: 00A6836E
_wcslen.LIBCMT ref: 00A68391
_wcslen.LIBCMT ref: 00A683B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A683F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00A65BF2), ref: 00A6844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A68487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00A684CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A68501
FreeLibrary.KERNEL32(?), ref: 00A6850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A6851D
DestroyIcon.USER32(?,?,?,?,?,00A65BF2), ref: 00A6852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A68549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A68555

Strings

.exe, xrefs: 00A68388
.icl, xrefs: 00A68368
.dll, xrefs: 00A683AB

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 984d05237f93b5afe9a757a749dd15bc96428623990453ca2f4ddce0d2966c6c
Instruction ID: 197f9a5c4d9188e30e23d9d130700aaad67c3f76ab65d368c601f28936fa7c73
Opcode Fuzzy Hash: 984d05237f93b5afe9a757a749dd15bc96428623990453ca2f4ddce0d2966c6c
Instruction Fuzzy Hash: F861BF71540219BAEB14DF64CC45BBE77BCFB44B21F10460AF916DA1D1DFB8AA80C7A0

Function 009D7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#ce, xrefs: 009D78ED
#OnAutoItStartRegister, xrefs: 009D7817
#requireadmin, xrefs: 009D77FF
Bad directive syntax error, xrefs: 00A1519A
#comments-end, xrefs: 009D78D9
", xrefs: 00A15153
#include-once, xrefs: 009D782F
#pragma compile, xrefs: 009D77D3
#notrayicon, xrefs: 009D77E7
', xrefs: 00A15169
#include, xrefs: 009D7847
Unterminated group of comments, xrefs: 00A1528C
#cs, xrefs: 009D7873, 009D78C5
Cannot parse #include, xrefs: 00A15279
#comments-start, xrefs: 009D785F, 009D78B1

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 474456bdc1c6531e2ce29a999bd16d33dc5943b41b31aec7fa7ef1d44bc7eb9b
Instruction ID: 9c32443e5cccbdb90c311c077dd8afbaea8b21e7623a8d176498d9b98fef0c5d
Opcode Fuzzy Hash: 474456bdc1c6531e2ce29a999bd16d33dc5943b41b31aec7fa7ef1d44bc7eb9b
Instruction Fuzzy Hash: 2E81E971A84205BBDB11BFA0DC42FFF77A8AF95300F048426F905AA296FB70D941C791

Function 00A43E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00A43EF8
_wcslen.LIBCMT ref: 00A43F03
_wcslen.LIBCMT ref: 00A43F5A
_wcslen.LIBCMT ref: 00A43F98
GetDriveTypeW.KERNEL32(?), ref: 00A43FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A4401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A44059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A44087

Strings

close cd wait, xrefs: 00A44072
type cdaudio alias cd wait, xrefs: 00A44001
open, xrefs: 00A43F54, 00A43F59
set cd door , xrefs: 00A44028
closed, xrefs: 00A43F08, 00A43F2D, 00A43F46, 00A43F7E, 00A43F97
wait, xrefs: 00A44044
close, xrefs: 00A43EFE, 00A43F18
open , xrefs: 00A43FE5

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: a183d692f50cbd7fbebbd786ce55a9a6cad656bfe74507d695e9835416c08e66
Instruction ID: a15dc4eccf875d1120f26d42a7adb7e58ddfdfa4e4e70f23da8ee80b957c30ed
Opcode Fuzzy Hash: a183d692f50cbd7fbebbd786ce55a9a6cad656bfe74507d695e9835416c08e66
Instruction Fuzzy Hash: 6471E2766042119FCB10EF24C881A6AB7F4FFD8758F10892EF99697251EB30DD49CB91

Function 00A35A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00A35A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00A35A40
SetWindowTextW.USER32(?,?), ref: 00A35A57
GetDlgItem.USER32(?,000003EA), ref: 00A35A6C
SetWindowTextW.USER32(00000000,?), ref: 00A35A72
GetDlgItem.USER32(?,000003E9), ref: 00A35A82
SetWindowTextW.USER32(00000000,?), ref: 00A35A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00A35AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00A35AC3
GetWindowRect.USER32(?,?), ref: 00A35ACC
_wcslen.LIBCMT ref: 00A35B33
SetWindowTextW.USER32(?,?), ref: 00A35B6F
GetDesktopWindow.USER32 ref: 00A35B75
GetWindowRect.USER32(00000000), ref: 00A35B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00A35BD3
GetClientRect.USER32(?,?), ref: 00A35BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00A35C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00A35C2F

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: cd270590aebefafc2ae26ac4a344098c1b763c74930ee151914aeadd9c2dbd2a
Instruction ID: c626611e3e88ad83c1ed1b7377e300eb5f8bbfd6c5ab2d1bdbe995e4f52c161c
Opcode Fuzzy Hash: cd270590aebefafc2ae26ac4a344098c1b763c74930ee151914aeadd9c2dbd2a
Instruction Fuzzy Hash: 41716B31A00B09AFDB20DFB8CE89AAEBBF5FF48714F104518F582A25A0D775E941CB50

Function 00A4FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00A4FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00A4FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00A4FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00A4FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00A4FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00A4FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00A4FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00A4FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00A4FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00A4FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00A4FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00A4FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00A4FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00A4FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00A4FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00A4FECC
GetCursorInfo.USER32(?), ref: 00A4FEDC
GetLastError.KERNEL32 ref: 00A4FF1E

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 37ceb5ea12d59f65ab50676a2a5e393d0d4c1419e3d48af60b6d0088427f112f
Instruction ID: 0db6294783858931839e5ad24452634ae91cf97a52dfb26d265503725fa48a38
Opcode Fuzzy Hash: 37ceb5ea12d59f65ab50676a2a5e393d0d4c1419e3d48af60b6d0088427f112f
Instruction Fuzzy Hash: 494144B0D443196FDB10DFBA8C8585EBFE8FF44754B50852AE11DE7281DB789901CE91

Function 009F00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 009F00C6

Part of subcall function 009F00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00AA070C,00000FA0,C02DFB44,?,?,?,?,00A123B3,000000FF), ref: 009F011C
Part of subcall function 009F00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00A123B3,000000FF), ref: 009F0127
Part of subcall function 009F00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00A123B3,000000FF), ref: 009F0138
Part of subcall function 009F00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 009F014E
Part of subcall function 009F00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 009F015C
Part of subcall function 009F00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 009F016A
Part of subcall function 009F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009F0195
Part of subcall function 009F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009F01A0

___scrt_fastfail.LIBCMT ref: 009F00E7

Part of subcall function 009F00A3: __onexit.LIBCMT ref: 009F00A9

Strings

SleepConditionVariableCS, xrefs: 009F0154
WakeAllConditionVariable, xrefs: 009F0162
InitializeConditionVariable, xrefs: 009F0148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 009F0122
kernel32.dll, xrefs: 009F0133

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 515f7364e75d56571048dbf1299d468045920b33706566c4fbcfdd44de5ee373
Instruction ID: ad49cd1861817099ccb3a440527e5c8e33b37641171415ebb2a607d645a07c28
Opcode Fuzzy Hash: 515f7364e75d56571048dbf1299d468045920b33706566c4fbcfdd44de5ee373
Instruction Fuzzy Hash: 7021C832644715AFD711ABE4AC05B7A36ACFB86B65F00052AF901A7292DBB4AC018B50

Function 00A330F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A3318D
_wcslen.LIBCMT ref: 00A331F8

Strings

TEXT, xrefs: 00A3347C
INSTANCE, xrefs: 00A33453
REGEXPCLASS, xrefs: 00A33255, 00A33266
NAME, xrefs: 00A33335, 00A33346
CLASSNN, xrefs: 00A331F3, 00A33204
CLASS, xrefs: 00A33188, 00A331A5

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 036288730dbf8b7f696403cfb50e953ac650cd252184cb90b097a12f648af38c
Instruction ID: ce2035bf2aeb2de4a08bf7b95ad41af8dbea1f5102f8c06ea6e7115231716042
Opcode Fuzzy Hash: 036288730dbf8b7f696403cfb50e953ac650cd252184cb90b097a12f648af38c
Instruction Fuzzy Hash: 75E1B133A08616ABCF159FB8C4527FEBBB0BF54750F54821AF456E7240EB30AE858790

Function 00A444C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00A6CC08), ref: 00A44527
_wcslen.LIBCMT ref: 00A4453B
_wcslen.LIBCMT ref: 00A44599
_wcslen.LIBCMT ref: 00A445F4
_wcslen.LIBCMT ref: 00A4463F
_wcslen.LIBCMT ref: 00A446A7

Part of subcall function 009EF9F2: _wcslen.LIBCMT ref: 009EF9FD

GetDriveTypeW.KERNEL32(?,00A96BF0,00000061), ref: 00A44743

Strings

cdrom, xrefs: 00A4458F, 00A44594
network, xrefs: 00A4469D, 00A446A2
fixed, xrefs: 00A44635, 00A4463A
unknown, xrefs: 00A44708
removable, xrefs: 00A445EA, 00A445EF
all, xrefs: 00A44531, 00A44536
ramdisk, xrefs: 00A446F1

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: ba497a45c6640483973fff5b11585edf0e858d745d794d939becece4094f760e
Instruction ID: 6599878b3b53235d1896232bc3936c7013ff3eb19a57e79dab3083aa362b6a5a
Opcode Fuzzy Hash: ba497a45c6640483973fff5b11585edf0e858d745d794d939becece4094f760e
Instruction Fuzzy Hash: 93B1AB796083029BC710EF28C891B6AF7E5AFE9764F50891DF496C7291E730DC45CBA2

Function 00A66CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00A66DEB

Part of subcall function 009D6B57: _wcslen.LIBCMT ref: 009D6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A66E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A66E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A66E94
DestroyWindow.USER32(?), ref: 00A66EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,009D0000,00000000), ref: 00A66EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A66EFD
GetDesktopWindow.USER32 ref: 00A66F16
GetWindowRect.USER32(00000000), ref: 00A66F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A66F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A66F4D

Part of subcall function 009E9944: GetWindowLongW.USER32(?,000000EB), ref: 009E9952

Strings

0, xrefs: 00A66D98
tooltips_class32, xrefs: 00A66E58, 00A66EDD
V, xrefs: 00A66D0F, 00A66DCF, 00A66DF1, 00A66E04

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32$V
API String ID: 2429346358-3097446078
Opcode ID: 8487a4ed3296ee116755f3d8cf3eaf387058d749f1bcf85a5b985a48d5173622
Instruction ID: ce0db2661924252f5cd86ba96df14855353992d5dc9b7a2b5ad26ae772fa30a3
Opcode Fuzzy Hash: 8487a4ed3296ee116755f3d8cf3eaf387058d749f1bcf85a5b985a48d5173622
Instruction Fuzzy Hash: BE717674104241AFDB21CF68D844FBABBF9FB99304F04481EFA99872A1C775A906CB15

Function 00A6911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 009E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009E9BB2

DragQueryPoint.SHELL32(?,?), ref: 00A69147

Part of subcall function 00A67674: ClientToScreen.USER32(?,?), ref: 00A6769A
Part of subcall function 00A67674: GetWindowRect.USER32(?,?), ref: 00A67710
Part of subcall function 00A67674: PtInRect.USER32(?,?,00A68B89), ref: 00A67720

SendMessageW.USER32(?,000000B0,?,?), ref: 00A691B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A691BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A691DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A69225
SendMessageW.USER32(?,000000B0,?,?), ref: 00A6923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00A69255
SendMessageW.USER32(?,000000B1,?,?), ref: 00A69277
DragFinish.SHELL32(?), ref: 00A6927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A69371

Strings

@GUI_DRAGID, xrefs: 00A692E9
V, xrefs: 00A6917D, 00A691EA
@GUI_DRAGFILE, xrefs: 00A69320
@GUI_DROPID, xrefs: 00A6929E

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$V
API String ID: 221274066-1508676730
Opcode ID: ed39b49c5e90c228692fdd3781f9f5bdd2abc9a20bf2bf71daf995317a3ce06c
Instruction ID: 574ebd2d3f5031a7cb4f229a0ad36bc20492b1bff25c1cc9c7f9ffb1e2464e76
Opcode Fuzzy Hash: ed39b49c5e90c228692fdd3781f9f5bdd2abc9a20bf2bf71daf995317a3ce06c
Instruction Fuzzy Hash: 19613971108301AFC701EFA4DC85EAFBBF8EBC9750F00491EF595962A1DB709A49CB52

Function 00A53FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A6CC08), ref: 00A540BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00A540CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00A6CC08), ref: 00A540F2
FreeLibrary.KERNEL32(00000000,?,00A6CC08), ref: 00A5413E
StringFromGUID2.OLE32(?,?,00000028,?,00A6CC08), ref: 00A541A8
SysFreeString.OLEAUT32(00000009), ref: 00A54262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00A542C8
SysFreeString.OLEAUT32(?), ref: 00A542F2

Strings

kernel32.dll, xrefs: 00A540B6
GetModuleHandleExW, xrefs: 00A540C7

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 8bf3677da7ff577d74c29f4f3562ad06fb67aedafb5ad73b00f7122a391d586c
Instruction ID: 7bb4e92d3272e654dfd0ce03f049d8e3e7781d2045f2746910db8cf4b393bc07
Opcode Fuzzy Hash: 8bf3677da7ff577d74c29f4f3562ad06fb67aedafb5ad73b00f7122a391d586c
Instruction Fuzzy Hash: 65124C75A00215EFDB14DF94C884EAEBBB5FF49319F248098F9059B261D731ED86CBA0

Function 009D326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00AA1990), ref: 00A12F8D
GetMenuItemCount.USER32(00AA1990), ref: 00A1303D
GetCursorPos.USER32(?), ref: 00A13081
SetForegroundWindow.USER32(00000000), ref: 00A1308A
TrackPopupMenuEx.USER32(00AA1990,00000000,?,00000000,00000000,00000000), ref: 00A1309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00A130A9

Strings

0, xrefs: 009D327D

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 647443ba60e99adaf91d9597b17b1609d86243cde3a55087990456bad5b50dad
Instruction ID: e1de515a0b961cb5a142a6fb0afc144af0a15d64edcdc00f929567ab657ee270
Opcode Fuzzy Hash: 647443ba60e99adaf91d9597b17b1609d86243cde3a55087990456bad5b50dad
Instruction Fuzzy Hash: 7F711731680205BEEB259F64CC49FEABF75FF05364F208216F6256A2E0C7B1A960CB51

Function 009E8BCD Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 009E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,009E8BE8,?,00000000,?,?,?,?,009E8BBA,00000000,?), ref: 009E8FC5

DestroyWindow.USER32(?), ref: 009E8C81
KillTimer.USER32(00000000,?,?,?,?,009E8BBA,00000000,?), ref: 009E8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00A26973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,009E8BBA,00000000,?), ref: 00A269A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,009E8BBA,00000000,?), ref: 00A269B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,009E8BBA,00000000), ref: 00A269D4
DeleteObject.GDI32(00000000), ref: 00A269E6

Strings

V, xrefs: 009E8C06

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: V
API String ID: 641708696-4045069856
Opcode ID: 534f9b87d6ba7bed350c4949a10411b36f47a2c71c676df332a28ae679b1f979
Instruction ID: 55e74b0900f5af765f8bf719ea4f5030218b126c71c4be14c45da0b33c76dc62
Opcode Fuzzy Hash: 534f9b87d6ba7bed350c4949a10411b36f47a2c71c676df332a28ae679b1f979
Instruction Fuzzy Hash: 4361AF30502651EFCB22DFAAD94872777F1FB46312F244929E086979A0CB75AD82DF90

Function 00A4C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A4C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A4C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A4C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00A4C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00A4C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00A4C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A4C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A4C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A4C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A4C5F0
InternetCloseHandle.WININET(00000000), ref: 00A4C5FB

Strings

, xrefs: 00A4C575

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: ff8642626fe3a2a0aaa32475202392b25c1c2a77096da4674776e8ebd97b48dc
Instruction ID: f121ea1a0788afcddf9b89acd1d3262687b7d2b7598f488efee87bc45a39b6e4
Opcode Fuzzy Hash: ff8642626fe3a2a0aaa32475202392b25c1c2a77096da4674776e8ebd97b48dc
Instruction Fuzzy Hash: 1D517DB4541308BFDB61DFA0C948ABB7BFCFF48764F008419F98A96210DB74E9059B61

Function 009E9838 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 009E9944: GetWindowLongW.USER32(?,000000EB), ref: 009E9952

GetSysColor.USER32(0000000F), ref: 009E9862

Strings

V, xrefs: 009E987C

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID: V
API String ID: 259745315-4045069856
Opcode ID: 8440992430d3a42ee71360f754d39bfe7b0c5fdc67d1cc9168f623be97385adc
Instruction ID: b4b24729f972e5908f87989b6c420943932b6eaba1b686fed7b68765a2d2785e
Opcode Fuzzy Hash: 8440992430d3a42ee71360f754d39bfe7b0c5fdc67d1cc9168f623be97385adc
Instruction Fuzzy Hash: 8741D131104690AFDB219F799C84BB93BA9AB07330F144615F9A2872F2D7709D42DB11

Function 00A6856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00A68592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A685A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A685AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A685BA
GlobalLock.KERNEL32(00000000), ref: 00A685C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A685D7
GlobalUnlock.KERNEL32(00000000), ref: 00A685E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A685E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A685F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00A6FC38,?), ref: 00A68611
GlobalFree.KERNEL32(00000000), ref: 00A68621
GetObjectW.GDI32(?,00000018,?), ref: 00A68641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00A68671
DeleteObject.GDI32(?), ref: 00A68699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A686AF

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: fd7bd62cd2969efbce78ada238ec5d1429dda26b6705932567141d9fa53b7e8c
Instruction ID: 93353fbb96a2d9b7416e4f85e353c4de11e3c64ad52f192d4ef8c2cbea0ece33
Opcode Fuzzy Hash: fd7bd62cd2969efbce78ada238ec5d1429dda26b6705932567141d9fa53b7e8c
Instruction Fuzzy Hash: 98411875600208AFDB11DFA5DC48EAA7BBCFF89B21F104159F956EB260DB749902CB60

Function 00A414BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00A41502
VariantCopy.OLEAUT32(?,?), ref: 00A4150B
VariantClear.OLEAUT32(?), ref: 00A41517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00A415FB
VarR8FromDec.OLEAUT32(?,?), ref: 00A41657
VariantInit.OLEAUT32(?), ref: 00A41708
SysFreeString.OLEAUT32(?), ref: 00A4178C
VariantClear.OLEAUT32(?), ref: 00A417D8
VariantClear.OLEAUT32(?), ref: 00A417E7
VariantInit.OLEAUT32(00000000), ref: 00A41823

Strings

Default, xrefs: 00A416AF
%4d%02d%02d%02d%02d%02d, xrefs: 00A41625

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: e97b7b8fc47815ecb37ba2fedde5f937c143cdb9fd0432e73571207dfefce802
Instruction ID: 512eba13f5ce3efa6c5aeb1bc5c0b57780f23e4541a204c7025cf8fef5e7582e
Opcode Fuzzy Hash: e97b7b8fc47815ecb37ba2fedde5f937c143cdb9fd0432e73571207dfefce802
Instruction Fuzzy Hash: 8DD10275A00219EBDB00EF65D889BBDB7B5BFC4700F148056F446AB291DB30EC81DB62

Function 00A5B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

Part of subcall function 00A5C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A5B6AE,?,?), ref: 00A5C9B5
Part of subcall function 00A5C998: _wcslen.LIBCMT ref: 00A5C9F1
Part of subcall function 00A5C998: _wcslen.LIBCMT ref: 00A5CA68
Part of subcall function 00A5C998: _wcslen.LIBCMT ref: 00A5CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A5B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A5B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00A5B80A
RegCloseKey.ADVAPI32(?), ref: 00A5B87E
RegCloseKey.ADVAPI32(?), ref: 00A5B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00A5B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A5B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00A5B922
FreeLibrary.KERNEL32(00000000), ref: 00A5B983
RegCloseKey.ADVAPI32(00000000), ref: 00A5B994

Strings

advapi32.dll, xrefs: 00A5B8ED
RegDeleteKeyExW, xrefs: 00A5B8FE

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 6704f100f6a922e490b4e57651a8d4a526754a37265fdb6d8f02bc255bc3a15a
Instruction ID: ab8a51796793b9d36ed69b4bc2930b39f3dd88ced77242e202c0c9f95c999a1e
Opcode Fuzzy Hash: 6704f100f6a922e490b4e57651a8d4a526754a37265fdb6d8f02bc255bc3a15a
Instruction Fuzzy Hash: B8C16B30214201EFD710DF14C495B2ABBE5BF84319F14859DF89A8B3A2CB71E84ACBA1

Function 00A68D0E Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009E9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A68D5A
GetFocus.USER32 ref: 00A68D6A
GetDlgCtrlID.USER32(00000000), ref: 00A68D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00A68E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00A68ECF
GetMenuItemCount.USER32(?), ref: 00A68EEC
GetMenuItemID.USER32(?,00000000), ref: 00A68EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00A68F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00A68F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A68FA1

Strings

0, xrefs: 00A68E9F
V, xrefs: 00A68E63, 00A68E85

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0$V
API String ID: 1026556194-3648174478
Opcode ID: af4202d52d9888f130bc41f70ce37640f346595d52ecdf0061af7b6f96298f90
Instruction ID: 2f8b7ddc1ce81ef855567fd9f9b08c48a391aa16a33b3b2543d810535265bc7d
Opcode Fuzzy Hash: af4202d52d9888f130bc41f70ce37640f346595d52ecdf0061af7b6f96298f90
Instruction Fuzzy Hash: DA819E71508341AFDB10CF24C884AAB7BFDFB88764F140A1EF99597291DB79D901CBA2

Function 00A6541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A65504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A65515
CharNextW.USER32(00000158), ref: 00A65544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A65585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A6559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A655AC

Strings

V, xrefs: 00A6545F

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID: V
API String ID: 1350042424-4045069856
Opcode ID: f5eb3b16b5270f8493406180c2b86e4fdc6e87993dcc98c3ef82f373cd2d3b22
Instruction ID: 0024efb9d21f7cd391de7e64d7fbcb28da99880de5d429fbcc991e8a8a7f445d
Opcode Fuzzy Hash: f5eb3b16b5270f8493406180c2b86e4fdc6e87993dcc98c3ef82f373cd2d3b22
Instruction Fuzzy Hash: D6617E75D04609AFDF10DFB4CC889FE7BB9EB09724F108145F965A7290DB788A81DB60

Function 00A5255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A525D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00A525E8
CreateCompatibleDC.GDI32(?), ref: 00A525F4
SelectObject.GDI32(00000000,?), ref: 00A52601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00A5266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00A526AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00A526D0
SelectObject.GDI32(?,?), ref: 00A526D8
DeleteObject.GDI32(?), ref: 00A526E1
DeleteDC.GDI32(?), ref: 00A526E8
ReleaseDC.USER32(00000000,?), ref: 00A526F3

Strings

(, xrefs: 00A5268D

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 4c81c21eca1421a4a1333d1f881d5a96680e12581b8108540931253428bb3d15
Instruction ID: 5147f1f5beb6fc85069acfb4a26cfa8b71b396b53a2e146a166ec9c0caf91266
Opcode Fuzzy Hash: 4c81c21eca1421a4a1333d1f881d5a96680e12581b8108540931253428bb3d15
Instruction Fuzzy Hash: FB61E275D00219EFCF15CFE8D984AAEBBB5FF48310F20852AE955A7250E774A941CF90

Function 00A0DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00A0DAA1

Part of subcall function 00A0D63C: _free.LIBCMT ref: 00A0D659
Part of subcall function 00A0D63C: _free.LIBCMT ref: 00A0D66B
Part of subcall function 00A0D63C: _free.LIBCMT ref: 00A0D67D
Part of subcall function 00A0D63C: _free.LIBCMT ref: 00A0D68F
Part of subcall function 00A0D63C: _free.LIBCMT ref: 00A0D6A1
Part of subcall function 00A0D63C: _free.LIBCMT ref: 00A0D6B3
Part of subcall function 00A0D63C: _free.LIBCMT ref: 00A0D6C5
Part of subcall function 00A0D63C: _free.LIBCMT ref: 00A0D6D7
Part of subcall function 00A0D63C: _free.LIBCMT ref: 00A0D6E9
Part of subcall function 00A0D63C: _free.LIBCMT ref: 00A0D6FB
Part of subcall function 00A0D63C: _free.LIBCMT ref: 00A0D70D
Part of subcall function 00A0D63C: _free.LIBCMT ref: 00A0D71F
Part of subcall function 00A0D63C: _free.LIBCMT ref: 00A0D731

_free.LIBCMT ref: 00A0DA96

Part of subcall function 00A029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A0D7D1,00000000,00000000,00000000,00000000,?,00A0D7F8,00000000,00000007,00000000,?,00A0DBF5,00000000), ref: 00A029DE
Part of subcall function 00A029C8: GetLastError.KERNEL32(00000000,?,00A0D7D1,00000000,00000000,00000000,00000000,?,00A0D7F8,00000000,00000007,00000000,?,00A0DBF5,00000000,00000000), ref: 00A029F0

_free.LIBCMT ref: 00A0DAB8
_free.LIBCMT ref: 00A0DACD
_free.LIBCMT ref: 00A0DAD8
_free.LIBCMT ref: 00A0DAFA
_free.LIBCMT ref: 00A0DB0D
_free.LIBCMT ref: 00A0DB1B
_free.LIBCMT ref: 00A0DB26
_free.LIBCMT ref: 00A0DB5E
_free.LIBCMT ref: 00A0DB65
_free.LIBCMT ref: 00A0DB82
_free.LIBCMT ref: 00A0DB9A

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 37e8f6bad86269b99adc0879488c7d144a9e503779b338a053b64a8bb6cbfb4c
Instruction ID: 11db53a5cd1b9e19b1f347703d56f583a89691bb5e2e7e40e9459eeea7c1aea8
Opcode Fuzzy Hash: 37e8f6bad86269b99adc0879488c7d144a9e503779b338a053b64a8bb6cbfb4c
Instruction Fuzzy Hash: 2231193260470D9FEB21ABB9F949B5A77E9FF41390F254419E449D71D1DB35AC40CB20

Function 00A3365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A3369C
_wcslen.LIBCMT ref: 00A336A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00A33797
GetClassNameW.USER32(?,?,00000400), ref: 00A3380C
GetDlgCtrlID.USER32(?), ref: 00A3385D
GetWindowRect.USER32(?,?), ref: 00A33882
GetParent.USER32(?), ref: 00A338A0
ScreenToClient.USER32(00000000), ref: 00A338A7
GetClassNameW.USER32(?,?,00000100), ref: 00A33921
GetWindowTextW.USER32(?,?,00000400), ref: 00A3395D

Strings

%s%u, xrefs: 00A33734

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: d1209d7b55490c1dc70ef300020cbfc24e3e37c115517dafdc9f8169070b3422
Instruction ID: b47b231facd185a51b0ce04724772d9350e98180d919b2e4ade452a51bc5bd4b
Opcode Fuzzy Hash: d1209d7b55490c1dc70ef300020cbfc24e3e37c115517dafdc9f8169070b3422
Instruction Fuzzy Hash: BD91B372208706EFDB19DF64C895BBAF7A9FF44350F008619F999C2190DB70EA45CB91

Function 00A34954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00A34994
GetWindowTextW.USER32(?,?,00000400), ref: 00A349DA
_wcslen.LIBCMT ref: 00A349EB
CharUpperBuffW.USER32(?,00000000), ref: 00A349F7
_wcsstr.LIBVCRUNTIME ref: 00A34A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00A34A64
GetWindowTextW.USER32(?,?,00000400), ref: 00A34A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00A34AE6
GetClassNameW.USER32(?,?,00000400), ref: 00A34B20
GetWindowRect.USER32(?,?), ref: 00A34B8B

Strings

ThumbnailClass, xrefs: 00A34A6F, 00A34AF1

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: c4f3ab5015eb8b5d0555f9fccb14a2e985f0d94b01c0a8b9ba509c6c539ad1a3
Instruction ID: 3330d0d26a07231bc084e468771a33fd473ce2cf9d24568a2020ed181e802521
Opcode Fuzzy Hash: c4f3ab5015eb8b5d0555f9fccb14a2e985f0d94b01c0a8b9ba509c6c539ad1a3
Instruction Fuzzy Hash: D991CE711082099FDB04DF14C981BBABBE8FF88354F04846AFD859A196EB74FD45CBA1

Function 00A3BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00AA1990,000000FF,00000000,00000030), ref: 00A3BFAC
SetMenuItemInfoW.USER32(00AA1990,00000004,00000000,00000030), ref: 00A3BFE1
Sleep.KERNEL32(000001F4), ref: 00A3BFF3
GetMenuItemCount.USER32(?), ref: 00A3C039
GetMenuItemID.USER32(?,00000000), ref: 00A3C056
GetMenuItemID.USER32(?,-00000001), ref: 00A3C082
GetMenuItemID.USER32(?,?), ref: 00A3C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A3C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A3C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A3C145

Strings

0, xrefs: 00A3BF3D

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: f3e127d10c168b37b9abc04bb7244f9071e02cbce26a903754ca4a1d350a0c75
Instruction ID: 98a1db5aee56ed2875aa0effe7d27ff17ef7916b2ec67ec5addce149f822fb82
Opcode Fuzzy Hash: f3e127d10c168b37b9abc04bb7244f9071e02cbce26a903754ca4a1d350a0c75
Instruction Fuzzy Hash: F761A0B190028AAFDF15CFA4CD88AFEBBB9EB06364F004115F951B7291C775AD05DB60

Function 00A63A23 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A63A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A63AA0
GetWindowLongW.USER32(?,000000F0), ref: 00A63AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A63AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A63B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00A63BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00A63BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00A63BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00A63BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00A63C13

Strings

V, xrefs: 00A63A67, 00A63A76, 00A63AAC, 00A63B01, 00A63C2A

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID: V
API String ID: 312131281-4045069856
Opcode ID: b486e3bd015e5b52cfe6439775ce0872bad2721e402678735a849483e04e7bbe
Instruction ID: ee79a5fca812742bc9d3909f8de0e1f5d62b5b4adfb206f3acf345b561c323aa
Opcode Fuzzy Hash: b486e3bd015e5b52cfe6439775ce0872bad2721e402678735a849483e04e7bbe
Instruction Fuzzy Hash: 5D617B75900208AFDB10DFA8CC81EEE77B8EF09714F10419AFA15E72A1D774AE46DB50

Function 00A3DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00A3DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00A3DC46
_wcslen.LIBCMT ref: 00A3DC50
_wcsstr.LIBVCRUNTIME ref: 00A3DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00A3DCBC

Strings

\VarFileInfo\Translation, xrefs: 00A3DCB4
04090000, xrefs: 00A3DCF2
%u.%u.%u.%u, xrefs: 00A3DD9A
StringFileInfo\, xrefs: 00A3DC8F
DefaultLangCodepage, xrefs: 00A3DD1F

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 60a771cdfd4c0c1f485a7a0767a807c52f08b8c19f6c39b11f9af9a20c86432a
Instruction ID: e6b1b0d6dd3e4f2fd485e4ea458f1edc1e87b4037950096828dc6c59937f2889
Opcode Fuzzy Hash: 60a771cdfd4c0c1f485a7a0767a807c52f08b8c19f6c39b11f9af9a20c86432a
Instruction Fuzzy Hash: EA412B32A41204BADB15BB75DC43FFF77BCEF82760F14446AFA00A6182EB75990187A5

Function 00A5CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A5CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00A5CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A5CD48

Part of subcall function 00A5CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00A5CCAA
Part of subcall function 00A5CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00A5CCBD
Part of subcall function 00A5CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A5CCCF
Part of subcall function 00A5CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A5CD05
Part of subcall function 00A5CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A5CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00A5CCF3

Strings

advapi32.dll, xrefs: 00A5CCB8
RegDeleteKeyExW, xrefs: 00A5CCC9

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 14c6751cda6897cb6f2a2b69cbfbfba4be659322fd541bdf685fff4161b71994
Instruction ID: 3f43f769ff8a5135dcb45499d194c0575368635629da1f28f01846c49f26961e
Opcode Fuzzy Hash: 14c6751cda6897cb6f2a2b69cbfbfba4be659322fd541bdf685fff4161b71994
Instruction Fuzzy Hash: 2A317E72901228BFDB21DB90DC88EFFBB7CEF05761F000165E905E3144D6B49A4A9AA0

Function 00A43D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A43D40
_wcslen.LIBCMT ref: 00A43D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A43D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00A43DBE
RemoveDirectoryW.KERNEL32(?), ref: 00A43DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00A43E55
CloseHandle.KERNEL32(00000000), ref: 00A43E60
CloseHandle.KERNEL32(00000000), ref: 00A43E6B

Strings

:, xrefs: 00A43D82
\??\%s, xrefs: 00A43D5B
\, xrefs: 00A43D77

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: a924afbe0b36a36a2e0d5b59d66d08af944c396f03ec7b104bcdf528bcfc829b
Instruction ID: 62e5d8eee2499cdf837cca16b5133db8d3e91a542f889145df7de6f471aff337
Opcode Fuzzy Hash: a924afbe0b36a36a2e0d5b59d66d08af944c396f03ec7b104bcdf528bcfc829b
Instruction Fuzzy Hash: 15319076A00209AADF21DBA0DC49FEF37BCEF89710F1041A6F609D6160EBB497458B24

Function 00A3E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A3E6B4

Part of subcall function 009EE551: timeGetTime.WINMM(?,?,00A3E6D4), ref: 009EE555

Sleep.KERNEL32(0000000A), ref: 00A3E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00A3E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00A3E727
SetActiveWindow.USER32 ref: 00A3E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00A3E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00A3E773
Sleep.KERNEL32(000000FA), ref: 00A3E77E
IsWindow.USER32 ref: 00A3E78A
EndDialog.USER32(00000000), ref: 00A3E79B

Strings

BUTTON, xrefs: 00A3E719

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 148622d07588f4ab5768c8834d64e754e7bebec8c8432414ebd033910e9b8a1c
Instruction ID: 8a9487e68ec056870636f40c2f17fa33a94ffb01f0fbbf1515234856670a0a3f
Opcode Fuzzy Hash: 148622d07588f4ab5768c8834d64e754e7bebec8c8432414ebd033910e9b8a1c
Instruction Fuzzy Hash: A7216FB0240206AFEB11DFE4EC99B363B79FB56758F101425F556826E1DBB1AC228B24

Function 00A3E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00A3EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00A3EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A3EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00A3EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00A3EAA7

Strings

alias PlayMe, xrefs: 00A3EA36
play PlayMe, xrefs: 00A3EAA2
status PlayMe mode, xrefs: 00A3EA58
close PlayMe, xrefs: 00A3EA6E, 00A3EA9B
play PlayMe wait, xrefs: 00A3EA91
open , xrefs: 00A3EA0C

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 3a1fb6c924910db25c7f7837feb8ef572e2834ca897b71b667465e58d0dd473d
Instruction ID: cfa2bad09739b33c580f20486fd0e96ad51f071a63de7167731b89564b77a2b5
Opcode Fuzzy Hash: 3a1fb6c924910db25c7f7837feb8ef572e2834ca897b71b667465e58d0dd473d
Instruction Fuzzy Hash: 51115131B9026979DB20E7A6DC4AEFF6ABCFFD1F40F40482AB411A21D1EAB05915C5B0

Function 00A39F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A3A012
SetKeyboardState.USER32(?), ref: 00A3A07D
GetAsyncKeyState.USER32(000000A0), ref: 00A3A09D
GetKeyState.USER32(000000A0), ref: 00A3A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00A3A0E3
GetKeyState.USER32(000000A1), ref: 00A3A0F4
GetAsyncKeyState.USER32(00000011), ref: 00A3A120
GetKeyState.USER32(00000011), ref: 00A3A12E
GetAsyncKeyState.USER32(00000012), ref: 00A3A157
GetKeyState.USER32(00000012), ref: 00A3A165
GetAsyncKeyState.USER32(0000005B), ref: 00A3A18E
GetKeyState.USER32(0000005B), ref: 00A3A19C

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 39ed187b681d5b5eff40ed2620fb2e738413097c2e0a844dec36e74821ec63ca
Instruction ID: 99b5681a7b290110f5237a6dbb2306c402b73b8729c1415520cfd63a4de62402
Opcode Fuzzy Hash: 39ed187b681d5b5eff40ed2620fb2e738413097c2e0a844dec36e74821ec63ca
Instruction Fuzzy Hash: E351AB30A047942AFB35DBA089157EBFFB55F22340F08869DF5C6571C2DA949E4CC762

Function 00A35CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00A35CE2
GetWindowRect.USER32(00000000,?), ref: 00A35CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00A35D59
GetDlgItem.USER32(?,00000002), ref: 00A35D69
GetWindowRect.USER32(00000000,?), ref: 00A35D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00A35DCF
GetDlgItem.USER32(?,000003E9), ref: 00A35DDD
GetWindowRect.USER32(00000000,?), ref: 00A35DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00A35E31
GetDlgItem.USER32(?,000003EA), ref: 00A35E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A35E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00A35E67

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 3761ddc7b83fad966d895da24938d0d9ded89e399ca172be0c49b5a4178157b5
Instruction ID: cd8f3612b92537d23d90077c3f1b8f940d6282d8d3bd0c2ba9fa1ca03ebbd95b
Opcode Fuzzy Hash: 3761ddc7b83fad966d895da24938d0d9ded89e399ca172be0c49b5a4178157b5
Instruction Fuzzy Hash: 9C510CB5F00605AFDF18CFA8DD89AAEBBB5EF48311F548129F515E6290D7B09E01CB60

Function 00A396E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00A1F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00A39717
LoadStringW.USER32(00000000,?,00A1F7F8,00000001), ref: 00A39720

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00A1F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00A39742
LoadStringW.USER32(00000000,?,00A1F7F8,00000001), ref: 00A39745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00A39866

Strings

^ ERROR, xrefs: 00A397FB
Line %d:, xrefs: 00A397A0
Line %d (File "%s"):, xrefs: 00A3978F
%s (%d) : ==> %s: %s %s, xrefs: 00A3984A
Error: , xrefs: 00A3981D

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 164f255f36d0ebef5f93680ad8c8f95a96402f230e25f5265dc0881a64f0cfc1
Instruction ID: 8edba3955f8811bcec7c69c0889976db6faa43dee3a480cf1e86f7fb5d7af0a1
Opcode Fuzzy Hash: 164f255f36d0ebef5f93680ad8c8f95a96402f230e25f5265dc0881a64f0cfc1
Instruction Fuzzy Hash: 5E418372940209AADF04FBE0DE82EEFB778AF95340F508026F10572192EB756F59CB61

Function 00A306DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 009D6B57: _wcslen.LIBCMT ref: 009D6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00A307A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00A307BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00A307DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00A30804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00A3082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A30837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A3083C

Strings

\IPC$, xrefs: 00A30784
SOFTWARE\Classes\, xrefs: 00A3070E
\CLSID, xrefs: 00A30724

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: e33c7e7eadc089ef9dde733eaf46f5199c3abe6b2ae366377c44e9bd0a95900c
Instruction ID: 24481ec68b16dd94b08132c6180970eea3d18414eb19d659ed83d5ebe8f34eb7
Opcode Fuzzy Hash: e33c7e7eadc089ef9dde733eaf46f5199c3abe6b2ae366377c44e9bd0a95900c
Instruction Fuzzy Hash: 1B413972D00228ABDF11EBA4DC95DEDB778FF44750F04812AF901A32A0EB709E04CB90

Function 00A63C46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00A63C79
SetMenu.USER32(?,00000000), ref: 00A63C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A63D10
IsMenu.USER32(?), ref: 00A63D24
CreatePopupMenu.USER32 ref: 00A63D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A63D5B
DrawMenuBar.USER32 ref: 00A63D63

Strings

0, xrefs: 00A63C54
F, xrefs: 00A63D4E
V, xrefs: 00A63CCF, 00A63CEC

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F$V
API String ID: 161812096-3113831973
Opcode ID: 2773c7eb76a533facf5767b05ee236aa6030a458695aa8a7cd6ae8959aed3fc7
Instruction ID: 45c91551febdc8baadac86060052df4beb68b8f5990cc60a6cb6214833940b32
Opcode Fuzzy Hash: 2773c7eb76a533facf5767b05ee236aa6030a458695aa8a7cd6ae8959aed3fc7
Instruction Fuzzy Hash: BF41597AA01209EFDF14CFA4DC44AAA7BB5FF49350F140429F946A7360D770AA12CF94

Function 00A63F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00A6403B
CreateCompatibleDC.GDI32(00000000), ref: 00A64042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00A64055
SelectObject.GDI32(00000000,00000000), ref: 00A6405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A64068
DeleteDC.GDI32(00000000), ref: 00A64072
GetWindowLongW.USER32(?,000000EC), ref: 00A6407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00A64092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00A6409E

Strings

static, xrefs: 00A63FD3

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 3d9b58f251b9b6656ace73f6aff1ff2e9e032ec94ea652137415b131001b04d8
Instruction ID: 0ecef4299042f4c840e5a1f130bddc8b2fa04f6c62dbdddd4a8affe538503e24
Opcode Fuzzy Hash: 3d9b58f251b9b6656ace73f6aff1ff2e9e032ec94ea652137415b131001b04d8
Instruction Fuzzy Hash: 1B315A32501215BBDF219FA4CC09FEA3BB8EF0E720F110211FA65A61A0C7B9D851DBA4

Function 00A53C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A53C5C
CoInitialize.OLE32(00000000), ref: 00A53C8A
CoUninitialize.OLE32 ref: 00A53C94
_wcslen.LIBCMT ref: 00A53D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00A53DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00A53ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00A53F0E
CoGetObject.OLE32(?,00000000,00A6FB98,?), ref: 00A53F2D
SetErrorMode.KERNEL32(00000000), ref: 00A53F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A53FC4
VariantClear.OLEAUT32(?), ref: 00A53FD8

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: a4305eb6631d216b74d767ab606f6750453c1f5f3f2e89edabf427d91a20fa74
Instruction ID: 35ce5df5daa7c0c339833e3c439853883b86e69e0804b3c12d9620256693feb2
Opcode Fuzzy Hash: a4305eb6631d216b74d767ab606f6750453c1f5f3f2e89edabf427d91a20fa74
Instruction Fuzzy Hash: 4EC114726082059FDB00DF68C88492AB7F9FFC9789F10491DF98A9B211D771EE09CB52

Function 00A47A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A47AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00A47B8F
SHGetDesktopFolder.SHELL32(?), ref: 00A47BA3
CoCreateInstance.OLE32(00A6FD08,00000000,00000001,00A96E6C,?), ref: 00A47BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00A47C74
CoTaskMemFree.OLE32(?,?), ref: 00A47CCC
SHBrowseForFolderW.SHELL32(?), ref: 00A47D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A47D7A
CoTaskMemFree.OLE32(00000000), ref: 00A47D81
CoTaskMemFree.OLE32(00000000), ref: 00A47DD6
CoUninitialize.OLE32 ref: 00A47DDC

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: d9e63f9ab87c9ec6121cb2834e8c233a642b574b783c60cb4ccb02b17b68735e
Instruction ID: 3107dc67c9909de69329e825f028c831e5319e1fa787cd5499030340ff4fb66c
Opcode Fuzzy Hash: d9e63f9ab87c9ec6121cb2834e8c233a642b574b783c60cb4ccb02b17b68735e
Instruction Fuzzy Hash: 6DC10B75A04159AFCB14DFA4C888DAEBBF9FF88314B148499F81A9B361D730ED45CB90

Function 00A2FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00A2FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00A2FB08
VariantInit.OLEAUT32(?), ref: 00A2FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00A2FB3A
VariantCopy.OLEAUT32(?,?), ref: 00A2FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00A2FBA1
VariantClear.OLEAUT32(?), ref: 00A2FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00A2FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A2FBCC
VariantClear.OLEAUT32(?), ref: 00A2FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A2FBE9

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 828744eb48e67960d34abd6edee88ae9e948580e46842be85da300f12f9d1673
Instruction ID: 84cdfa958f7d2dca203dbb39beed60b559b2c57bc51b7f72d923f5d99b7051f2
Opcode Fuzzy Hash: 828744eb48e67960d34abd6edee88ae9e948580e46842be85da300f12f9d1673
Instruction Fuzzy Hash: 35411375A002199FCB04DFA8D8589BDBBB9FF48354F008075E955A7261DB70E946CF90

Function 00A39C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A39CA1
GetAsyncKeyState.USER32(000000A0), ref: 00A39D22
GetKeyState.USER32(000000A0), ref: 00A39D3D
GetAsyncKeyState.USER32(000000A1), ref: 00A39D57
GetKeyState.USER32(000000A1), ref: 00A39D6C
GetAsyncKeyState.USER32(00000011), ref: 00A39D84
GetKeyState.USER32(00000011), ref: 00A39D96
GetAsyncKeyState.USER32(00000012), ref: 00A39DAE
GetKeyState.USER32(00000012), ref: 00A39DC0
GetAsyncKeyState.USER32(0000005B), ref: 00A39DD8
GetKeyState.USER32(0000005B), ref: 00A39DEA

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8ee5678754bad5058751b680fb99506bb222ec8eed842e0063ac2e8a20f0bb9b
Instruction ID: 9229a3d121b373a86aaaefa96ec7d32f9982518b4b4c4bd0326b3dca3019b97a
Opcode Fuzzy Hash: 8ee5678754bad5058751b680fb99506bb222ec8eed842e0063ac2e8a20f0bb9b
Instruction Fuzzy Hash: 424194345047CA6DFF31976588053B7FEA06F11354F04805AEAC6566C2DBE599C8CBA2

Function 00A69F86 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009E9BB2

GetSystemMetrics.USER32(0000000F), ref: 00A69FC7
GetSystemMetrics.USER32(0000000F), ref: 00A69FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00A6A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00A6A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00A6A263
ShowWindow.USER32(00000003,00000000), ref: 00A6A282
InvalidateRect.USER32(?,00000000,00000001), ref: 00A6A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00A6A2CA

Strings

V, xrefs: 00A6A034

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID: V
API String ID: 1211466189-4045069856
Opcode ID: 28a12dde997f58b8f0964db110007f46154198b95d22ef7cccb82ec2e0779839
Instruction ID: 204c1b8afd52efb23059eaaeb9ab3ff8f34ab8279ffd532e2e4a558811cd0bce
Opcode Fuzzy Hash: 28a12dde997f58b8f0964db110007f46154198b95d22ef7cccb82ec2e0779839
Instruction Fuzzy Hash: 83B1B831600215EBDF14CF68C9957EE3BB2FF65711F088069EC89AB2A5D771A940CF61

Function 00A5055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A505BC
inet_addr.WSOCK32(?), ref: 00A5061C
gethostbyname.WSOCK32(?), ref: 00A50628
IcmpCreateFile.IPHLPAPI ref: 00A50636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A506C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A506E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00A507B9
WSACleanup.WSOCK32 ref: 00A507BF

Strings

Ping, xrefs: 00A50676

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: b51306a0ed2a47ce840987dc54b85620a7c57815ecdff949db63b5af364e3988
Instruction ID: c60900b7c15bffdfcf84a6600ab8a152c3523fbfd7c709e98c2d8f7b86a74912
Opcode Fuzzy Hash: b51306a0ed2a47ce840987dc54b85620a7c57815ecdff949db63b5af364e3988
Instruction Fuzzy Hash: 34917D756046019FD320DF15C488F1ABBE0BF88319F1485A9F8A99B7A2D770ED49CF91

Function 00A58CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00A58CF3

Part of subcall function 00A38E54: _wcslen.LIBCMT ref: 00A38E77

_wcslen.LIBCMT ref: 00A58D4E
_wcslen.LIBCMT ref: 00A58D9C
_wcslen.LIBCMT ref: 00A58DDC
_wcslen.LIBCMT ref: 00A58E6E

Strings

none, xrefs: 00A58E65, 00A58E6A
cdecl, xrefs: 00A58D48, 00A58D4D
stdcall, xrefs: 00A58DD6, 00A58DDB
winapi, xrefs: 00A58D96, 00A58D9B

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: fba9101f2c4384f643a9b2cb8cede2fc7835ee92f693a42a6137d7a12778615a
Instruction ID: 865df26b11335768389b6582d1a032801a12e822b96bbb8c62a4b3a000a30dac
Opcode Fuzzy Hash: fba9101f2c4384f643a9b2cb8cede2fc7835ee92f693a42a6137d7a12778615a
Instruction Fuzzy Hash: 1D51AD32A001169BCF14DF68C9419BEB3F5BF64725B204229ED66F7284EB39DE48C790

Function 00A5372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00A53774
CoUninitialize.OLE32 ref: 00A5377F
CoCreateInstance.OLE32(?,00000000,00000017,00A6FB78,?), ref: 00A537D9
IIDFromString.OLE32(?,?), ref: 00A5384C
VariantInit.OLEAUT32(?), ref: 00A538E4
VariantClear.OLEAUT32(?), ref: 00A53936

Strings

Invalid parameter, xrefs: 00A53865
NULL Pointer assignment, xrefs: 00A5381E
Failed to create object, xrefs: 00A537E4, 00A5389A

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 3dac91a5ada88b620b9eb999f1a355031c44aa46c831a634c094f8f53317aea1
Instruction ID: 35f994a0a6d8314a60a3e5ecfbd5809211d8b9f384df995505cf3d7b75993885
Opcode Fuzzy Hash: 3dac91a5ada88b620b9eb999f1a355031c44aa46c831a634c094f8f53317aea1
Instruction Fuzzy Hash: D3619F72608301AFDB11DF54C889B6ABBF4FF88755F104909F9859B291D770EE48CBA2

Function 00A68B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009E9BB2

Part of subcall function 009E912D: GetCursorPos.USER32(?), ref: 009E9141
Part of subcall function 009E912D: ScreenToClient.USER32(00000000,?), ref: 009E915E
Part of subcall function 009E912D: GetAsyncKeyState.USER32(00000001), ref: 009E9183
Part of subcall function 009E912D: GetAsyncKeyState.USER32(00000002), ref: 009E919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00A68B6B
ImageList_EndDrag.COMCTL32 ref: 00A68B71
ReleaseCapture.USER32 ref: 00A68B77
SetWindowTextW.USER32(?,00000000), ref: 00A68C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00A68C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00A68CFF

Strings

V, xrefs: 00A68BB4, 00A68BEE
@GUI_DRAGFILE, xrefs: 00A68C9A
@GUI_DROPID, xrefs: 00A68C51

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$V
API String ID: 1924731296-1847362061
Opcode ID: a588d34e1f7fdbbe6f1293ed79b7b7a99272193d2fd31ff1848bff290f7b7915
Instruction ID: a56d9df2497ddfe856c538c53c7127ee75fd3b4930ea288e646554e553a8ad76
Opcode Fuzzy Hash: a588d34e1f7fdbbe6f1293ed79b7b7a99272193d2fd31ff1848bff290f7b7915
Instruction Fuzzy Hash: 4B517A74205200AFD700EF64DC56FAA77F4FB88714F400A2AF996A72E1CB749D04CB62

Function 00A43388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00A433CF

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00A433F0

Strings

"%s" (%d) : ==> %s:, xrefs: 00A43522
Incorrect parameters to object property !, xrefs: 00A434AB
Line %d (File "%s"):, xrefs: 00A43443, 00A4345C
^ ERROR , xrefs: 00A4349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00A43504
Error: , xrefs: 00A434D1

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 4fc079d6b9e050b49ba1002e34a7371627934015f70f3abccdc04705f9a5ada5
Instruction ID: 91db4a6a047096a9b4eae631fc258bdda0a2f49af7853f731ca7b96ddffb2c57
Opcode Fuzzy Hash: 4fc079d6b9e050b49ba1002e34a7371627934015f70f3abccdc04705f9a5ada5
Instruction Fuzzy Hash: E051A132940209BADF15EBE0DE46EEEB7B8AF54340F108466F505721A2EB712F58DB61

Function 00A3B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A3B5FC
_wcslen.LIBCMT ref: 00A3B608
_wcslen.LIBCMT ref: 00A3B64D
_wcslen.LIBCMT ref: 00A3B68C
_wcslen.LIBCMT ref: 00A3B6C7

Strings

KEYS, xrefs: 00A3B647, 00A3B64C
APPEND, xrefs: 00A3B6C1, 00A3B6C6
EXISTS, xrefs: 00A3B686, 00A3B68B
REMOVE, xrefs: 00A3B602, 00A3B607

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 3833503e1de4ce515e3b8cc4f19a2dce4b2d0b66f2eaa938cdff5061f329734d
Instruction ID: 78af5b6b29ae883f1e6d72640be4758def5325aa596ebacc03c26e97ce8fa38e
Opcode Fuzzy Hash: 3833503e1de4ce515e3b8cc4f19a2dce4b2d0b66f2eaa938cdff5061f329734d
Instruction Fuzzy Hash: 5941F732B110269BCB105F7DC8925BE77B6AFA0B94F24412AF621DB285E731CD81C7A0

Function 00A45393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A453A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00A45416
GetLastError.KERNEL32 ref: 00A45420
SetErrorMode.KERNEL32(00000000,READY), ref: 00A454A7

Strings

READONLY, xrefs: 00A45452
INVALID, xrefs: 00A45459
NOTREADY, xrefs: 00A4544B
UNKNOWN, xrefs: 00A45444
READY, xrefs: 00A45460, 00A45468

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: d526bd53afcaf78221e7e2a5630997c842895f7cad8837643e4be9533068eca4
Instruction ID: 34225f6bd4c6b54a01af5e115ba98deca50fbe8bf55c0557edaff17ec7e77ea9
Opcode Fuzzy Hash: d526bd53afcaf78221e7e2a5630997c842895f7cad8837643e4be9533068eca4
Instruction Fuzzy Hash: 70317C39E006049FCB10DF78C484BAABBB5EF95345F148066E405CF2A2DB75DD86CB90

Function 00A31EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

Part of subcall function 00A33CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A33CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00A31F64
GetDlgCtrlID.USER32 ref: 00A31F6F
GetParent.USER32 ref: 00A31F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A31F8E
GetDlgCtrlID.USER32(?), ref: 00A31F97
GetParent.USER32(?), ref: 00A31FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A31FAE

Strings

ListBox, xrefs: 00A31F21
ComboBox, xrefs: 00A31EEC

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 711a4686572a328fe19c863b861b5df9030e7ff42995596b9b05c39680208d9f
Instruction ID: f68881143714912d47e8576723f00fec7ef6501b06aa3d5c02997555fc1ea57d
Opcode Fuzzy Hash: 711a4686572a328fe19c863b861b5df9030e7ff42995596b9b05c39680208d9f
Instruction Fuzzy Hash: E621CF75A00214BBCF05EFA0DC85EFEBBB8EF05310F009116F9A5A72A1DB785909DB64

Function 00A31FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

Part of subcall function 00A33CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A33CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00A32043
GetDlgCtrlID.USER32 ref: 00A3204E
GetParent.USER32 ref: 00A3206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A3206D
GetDlgCtrlID.USER32(?), ref: 00A32076
GetParent.USER32(?), ref: 00A3208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A3208D

Strings

ListBox, xrefs: 00A32002
ComboBox, xrefs: 00A31FCD

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 31f9d4ba6a81cba06f7c18d773e9be46b717867673ba9b6c4dd99227b000a709
Instruction ID: 522273c8f3b6fb583ac347f14fe4148b27a6c01c23e3156ba76910f8d281012d
Opcode Fuzzy Hash: 31f9d4ba6a81cba06f7c18d773e9be46b717867673ba9b6c4dd99227b000a709
Instruction Fuzzy Hash: 2321C275A40214BBCF15EFA0CC45EFEBBB8AF05310F005406F995A72A1DA794919DB60

Function 00A3B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A3B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00A3A1E1,?,00000001), ref: 00A3B165
GetWindowThreadProcessId.USER32(00000000), ref: 00A3B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A3A1E1,?,00000001), ref: 00A3B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A3B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00A3A1E1,?,00000001), ref: 00A3B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A3A1E1,?,00000001), ref: 00A3B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00A3A1E1,?,00000001), ref: 00A3B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00A3A1E1,?,00000001), ref: 00A3B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00A3A1E1,?,00000001), ref: 00A3B21D

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: e5a82ac0a00cbc34434c43ac182f2ad1994b47a55b55e37237dd9a41d8fa847d
Instruction ID: 44b2f008ab4fc34ddd2fb62d199d9b8902760f51883b7a6affabb09835d8ea70
Opcode Fuzzy Hash: e5a82ac0a00cbc34434c43ac182f2ad1994b47a55b55e37237dd9a41d8fa847d
Instruction Fuzzy Hash: 78318976520205AFDF11DFA4DC49BBEBBBAAB52321F104205FA06D61A0D7B49A428F74

Function 00A02C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A02C94

Part of subcall function 00A029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A0D7D1,00000000,00000000,00000000,00000000,?,00A0D7F8,00000000,00000007,00000000,?,00A0DBF5,00000000), ref: 00A029DE
Part of subcall function 00A029C8: GetLastError.KERNEL32(00000000,?,00A0D7D1,00000000,00000000,00000000,00000000,?,00A0D7F8,00000000,00000007,00000000,?,00A0DBF5,00000000,00000000), ref: 00A029F0

_free.LIBCMT ref: 00A02CA0
_free.LIBCMT ref: 00A02CAB
_free.LIBCMT ref: 00A02CB6
_free.LIBCMT ref: 00A02CC1
_free.LIBCMT ref: 00A02CCC
_free.LIBCMT ref: 00A02CD7
_free.LIBCMT ref: 00A02CE2
_free.LIBCMT ref: 00A02CED
_free.LIBCMT ref: 00A02CFB

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1330bf1d07e7df4dfacbceff1eb53df0aff2a9158428674dc88532db73af5797
Instruction ID: 9aa58072f4c879f43000026c62912544671a0dc965f796dcfa1d40f8b10e67a7
Opcode Fuzzy Hash: 1330bf1d07e7df4dfacbceff1eb53df0aff2a9158428674dc88532db73af5797
Instruction Fuzzy Hash: 8611B97610020CBFCB02EF54EA46EDD3BA9FF45390F5144A5F9485F262D631EE509B90

Function 00A47DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A47FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00A47FC1
GetFileAttributesW.KERNEL32(?), ref: 00A47FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00A48005
SetCurrentDirectoryW.KERNEL32(?), ref: 00A48017
SetCurrentDirectoryW.KERNEL32(?), ref: 00A48060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A480B0

Strings

*.*, xrefs: 00A48066

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: b29f2cbf49bc16c128da5777b1a88ab74b42eeda15e3f5eb5eea9c58acc1d84a
Instruction ID: f389dc84576b085bb3696c8a1c028ac577361f1a6120235a2dfa6de1324f941b
Opcode Fuzzy Hash: b29f2cbf49bc16c128da5777b1a88ab74b42eeda15e3f5eb5eea9c58acc1d84a
Instruction Fuzzy Hash: DF81BE765082819BCB20EF54C845AAEB3E8BFC8310F548D6EF885D7250EB75DD49CB92

Function 00A67E9E Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00ED56E8), ref: 00A67F37
IsWindowEnabled.USER32(00ED56E8), ref: 00A67F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00A6801E
SendMessageW.USER32(00ED56E8,000000B0,?,?), ref: 00A68051
IsDlgButtonChecked.USER32(?,?), ref: 00A68089
GetWindowLongW.USER32(00ED56E8,000000EC), ref: 00A680AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00A680C3

Strings

V, xrefs: 00A67ED2, 00A67F51, 00A67FFF

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: V
API String ID: 4072528602-4045069856
Opcode ID: 1a1dbb6113cdcf8b4b3ce5f0ea2c057d5d081609f870498344390704b4de6053
Instruction ID: 3ed57a9e2c35b104989dd70f094a0decc1cd924628598a6e9c5b89301a6acb5e
Opcode Fuzzy Hash: 1a1dbb6113cdcf8b4b3ce5f0ea2c057d5d081609f870498344390704b4de6053
Instruction Fuzzy Hash: 5071BB34618204AFEB21DFA4CC84FBEBBB9EF0A304F144559F995972A1CB75AC45CB20

Function 009D5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 009D5C7A

Part of subcall function 009D5D0A: GetClientRect.USER32(?,?), ref: 009D5D30
Part of subcall function 009D5D0A: GetWindowRect.USER32(?,?), ref: 009D5D71
Part of subcall function 009D5D0A: ScreenToClient.USER32(?,?), ref: 009D5D99

GetDC.USER32 ref: 00A146F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00A14708
SelectObject.GDI32(00000000,00000000), ref: 00A14716
SelectObject.GDI32(00000000,00000000), ref: 00A1472B
ReleaseDC.USER32(?,00000000), ref: 00A14733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00A147C4

Strings

U, xrefs: 00A14693

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: aa15e6cc0f9f99c967230ce2af2099269d4bbfd7f7a27671a0b98525c6d6c508
Instruction ID: 3778a15a7b266d35925c63f4699776adb694dbcfa1289844436abaebc7795f2b
Opcode Fuzzy Hash: aa15e6cc0f9f99c967230ce2af2099269d4bbfd7f7a27671a0b98525c6d6c508
Instruction Fuzzy Hash: 9C71E134500205EFCF21CF68C984AFA3BB6FF4A365F14426AEDA55A2A6C7319C81DF50

Function 00A4359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00A435E4

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

LoadStringW.USER32(00AA2390,?,00000FFF,?), ref: 00A4360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00A43742
^ ERROR, xrefs: 00A436C9
Line %d (File "%s"):, xrefs: 00A4366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00A43724
Error: , xrefs: 00A436EF

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 1e5dfa46b408242052ef5a0e38822e6f4a838b9ecfef99325802d54411389aed
Instruction ID: c901758ad5643ceb3807634070b66b1ddb58bd611122474724c16e53599e79ac
Opcode Fuzzy Hash: 1e5dfa46b408242052ef5a0e38822e6f4a838b9ecfef99325802d54411389aed
Instruction Fuzzy Hash: E451807294020ABADF14EFE0DD42EEEBB78AF94350F048126F105721A1EB711B99DF61

Function 00A62DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00A62E1C
GetWindowLongW.USER32(?,000000F0), ref: 00A62E4F
GetWindowLongW.USER32(?,000000F0), ref: 00A62E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00A62EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00A62EE0
GetWindowLongW.USER32(?,000000F0), ref: 00A62EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A62F0B

Strings

V, xrefs: 00A62E00, 00A62E34, 00A62E69, 00A62EA1, 00A62EC5, 00A62EFD

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: V
API String ID: 2178440468-4045069856
Opcode ID: 3ab65e1156d7d2ea742ab9ffcd2e3fcc2aeae1dcd7f83be14c0a1513ea129ffd
Instruction ID: a9f2f7a0047649718db5a23e7ebe5247564766862a9227d3b9d466d15bc8ef36
Opcode Fuzzy Hash: 3ab65e1156d7d2ea742ab9ffcd2e3fcc2aeae1dcd7f83be14c0a1513ea129ffd
Instruction Fuzzy Hash: 38312434644641AFEB20CF98DC84F653BF0FB9A720F140165F9508F2B1CBB6A841DB01

Function 00A4C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A4C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A4C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A4C2CA
GetLastError.KERNEL32 ref: 00A4C322
SetEvent.KERNEL32(?), ref: 00A4C336
InternetCloseHandle.WININET(00000000), ref: 00A4C341

Strings

, xrefs: 00A4C2BB

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 7554a5bfad5f2642b2de5dae411cec63da5001ed130540d0f86e72e041192e90
Instruction ID: e92453d044ffe95721ae259277c9ca35278cfcbafb15e1c1508293324f362faa
Opcode Fuzzy Hash: 7554a5bfad5f2642b2de5dae411cec63da5001ed130540d0f86e72e041192e90
Instruction Fuzzy Hash: BB31B1B5601304AFD761DFA48C88ABBBBFCEB89760B10851DF48AD7200DB70ED059B60

Function 00A3989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00A13AAF,?,?,Bad directive syntax error,00A6CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00A398BC
LoadStringW.USER32(00000000,?,00A13AAF,?), ref: 00A398C3

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00A39987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00A398F1
Error: , xrefs: 00A39955
., xrefs: 00A3996D
Line %d:, xrefs: 00A39912
Line %d (File "%s"):, xrefs: 00A3992D

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 227b86502595738b955bc23b21c9dc3fd4643043c54e45340e1f274cf1744980
Instruction ID: 717e9ab3800e6f01adaec199a9aaae479de2bb3076f9143a87d8e683cffb6d6f
Opcode Fuzzy Hash: 227b86502595738b955bc23b21c9dc3fd4643043c54e45340e1f274cf1744980
Instruction Fuzzy Hash: 7621A03194021ABBCF11EFA0CD06FEE7775BF58300F048416F519661A2EB719A28DB11

Function 00A3209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00A320AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00A320C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A3214D

Strings

details, xrefs: 00A320FB
list, xrefs: 00A3212F
largeicons, xrefs: 00A320E1
smallicons, xrefs: 00A32115
SHELLDLL_DefView, xrefs: 00A320CC

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: aaafd01cbee6d6471e95b07a000ce56e6cf2054165278d940871e569e46c7892
Instruction ID: 5b3e52329a57812502ff42fb4491587ccd56c23beda5d58df8b02871df5205a9
Opcode Fuzzy Hash: aaafd01cbee6d6471e95b07a000ce56e6cf2054165278d940871e569e46c7892
Instruction Fuzzy Hash: 0011C67A68870AB9FA066730ED07FB737ACDB05724F200256FB04A50E1FEA5A9425718

Function 00A08D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30147a540a3e4a2f48a490a804e04c9eb507a6befae2bb51493c2f85b8d83dce
Instruction ID: 555ed3636f7c66e4aa50d5c1c54fc1e4a2513be233bd27fe8add4462bab09402
Opcode Fuzzy Hash: 30147a540a3e4a2f48a490a804e04c9eb507a6befae2bb51493c2f85b8d83dce
Instruction Fuzzy Hash: FAC1F174A0424EAFDF11DFA8E841BAEBBB0BF4A310F144199F955A73D2C7349942CB60

Function 00A0CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00A0CEB7
_free.LIBCMT ref: 00A0CF22
_free.LIBCMT ref: 00A0CF48
_free.LIBCMT ref: 00A0CF71
_free.LIBCMT ref: 00A0CFA9
_free.LIBCMT ref: 00A0CFDA
_free.LIBCMT ref: 00A0D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00A0D09C
_free.LIBCMT ref: 00A0D0B5

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 642c65fb24a8280d58e097f69f3ad6b7c2214774e7339eaf409ce971a7bc2ab4
Instruction ID: 9dfd85081920f8d048899b19525f816cbed648091cb7d27a58a57391a7324762
Opcode Fuzzy Hash: 642c65fb24a8280d58e097f69f3ad6b7c2214774e7339eaf409ce971a7bc2ab4
Instruction Fuzzy Hash: 3661647290430EAFDB21AFF4B885B7E7BA5AF05360F14426DF945A72C2E73199018791

Function 009E8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00A26890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00A268A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00A268B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00A268D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A268F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,009E8874,00000000,00000000,00000000,000000FF,00000000), ref: 00A26901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A2691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,009E8874,00000000,00000000,00000000,000000FF,00000000), ref: 00A2692D

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: b2575c49d15c4c6b57ca357643caeedbe0550be9590bf14cd2042d28f2380403
Instruction ID: dc6e9408db7e63f78221bc90d05ff194b4a2ccadfc2fc6e1a9d665eadcd71d4c
Opcode Fuzzy Hash: b2575c49d15c4c6b57ca357643caeedbe0550be9590bf14cd2042d28f2380403
Instruction Fuzzy Hash: 1E51AA70600209EFDB21CFA9DC55BAA7BB5EB48760F144528F946972E0DBB0ED91DB40

Function 00A4C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A4C182
GetLastError.KERNEL32 ref: 00A4C195
SetEvent.KERNEL32(?), ref: 00A4C1A9

Part of subcall function 00A4C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A4C272
Part of subcall function 00A4C253: GetLastError.KERNEL32 ref: 00A4C322
Part of subcall function 00A4C253: SetEvent.KERNEL32(?), ref: 00A4C336
Part of subcall function 00A4C253: InternetCloseHandle.WININET(00000000), ref: 00A4C341

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: aa7a18b7eb0d0123bd7d05c2a98c709c10476ff4a53c2bdd87bfb5dd42de5689
Instruction ID: 9acebaafe7c0ea8eab808817df2235678fa66637335b8c670aeb3299ffd4fdd3
Opcode Fuzzy Hash: aa7a18b7eb0d0123bd7d05c2a98c709c10476ff4a53c2bdd87bfb5dd42de5689
Instruction Fuzzy Hash: 0E31C174102701AFDB60AFF4DD04AB6BBF8FF98320B10451DF98A82210D7B1E8119B60

Function 00A325A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A33A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A33A57
Part of subcall function 00A33A3D: GetCurrentThreadId.KERNEL32 ref: 00A33A5E
Part of subcall function 00A33A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A325B3), ref: 00A33A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00A325BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00A325DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00A325DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A325E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00A32601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00A32605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A3260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00A32623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00A32627

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 608ac96e70f3146d83b9e443ed1463fabb9bf7498336193052e80b1a834f1762
Instruction ID: 52936f58982af30dad9506bdc578e85169fbd988e7cf357590b96b1f92f0dc06
Opcode Fuzzy Hash: 608ac96e70f3146d83b9e443ed1463fabb9bf7498336193052e80b1a834f1762
Instruction Fuzzy Hash: D501D831794220BBFB10B7A8DC8AF693F69DF4EB61F100011F354AE0D1C9E224458A69

Function 00A31803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00A31449,?,?,00000000), ref: 00A3180C
HeapAlloc.KERNEL32(00000000,?,00A31449,?,?,00000000), ref: 00A31813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A31449,?,?,00000000), ref: 00A31828
GetCurrentProcess.KERNEL32(?,00000000,?,00A31449,?,?,00000000), ref: 00A31830
DuplicateHandle.KERNEL32(00000000,?,00A31449,?,?,00000000), ref: 00A31833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A31449,?,?,00000000), ref: 00A31843
GetCurrentProcess.KERNEL32(00A31449,00000000,?,00A31449,?,?,00000000), ref: 00A3184B
DuplicateHandle.KERNEL32(00000000,?,00A31449,?,?,00000000), ref: 00A3184E
CreateThread.KERNEL32(00000000,00000000,00A31874,00000000,00000000,00000000), ref: 00A31868

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 53249b2d62459142d48e067ea7903badfe96706a1e950cfabeec1ca126457e84
Instruction ID: 0df333218c524e6f03c2b5fa81052268ff6d35688e741c0688b04baed78c5029
Opcode Fuzzy Hash: 53249b2d62459142d48e067ea7903badfe96706a1e950cfabeec1ca126457e84
Instruction Fuzzy Hash: 9101BBB5240348BFE710EBA5DC4DF6B7BACEB8AB11F004511FA45DB2A1CAB19801CB30

Function 00A5A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00A3D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00A3D501
Part of subcall function 00A3D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00A3D50F
Part of subcall function 00A3D4DC: CloseHandle.KERNELBASE(00000000), ref: 00A3D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A5A16D
GetLastError.KERNEL32 ref: 00A5A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A5A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00A5A268
GetLastError.KERNEL32(00000000), ref: 00A5A273
CloseHandle.KERNEL32(00000000), ref: 00A5A2C4

Strings

SeDebugPrivilege, xrefs: 00A5A18F

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 0a25f37d339deb72ec45b8c845068dffcf1b91f84c72d33e27f13553d198b0cd
Instruction ID: 7950db6478816e7c229ff0844088cf3989a034f17756b26467814333b2ae1fea
Opcode Fuzzy Hash: 0a25f37d339deb72ec45b8c845068dffcf1b91f84c72d33e27f13553d198b0cd
Instruction Fuzzy Hash: FB619F702046429FD710DF18C495F69BBE1BF54319F14858CE8568B7A3C776EC4ACB92

Function 00A63886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A63925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00A6393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A63954
_wcslen.LIBCMT ref: 00A63999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00A639C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A639F4

Strings

SysListView32, xrefs: 00A638F7

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 18b005d38ec8fdf63bafa4c3c0ce048dd3eebd27277d6b616968b01f98ab3216
Instruction ID: 18f8393fd5749d2d12b80741a56d894b263e3da0e6703d14bfc87462f3bc075f
Opcode Fuzzy Hash: 18b005d38ec8fdf63bafa4c3c0ce048dd3eebd27277d6b616968b01f98ab3216
Instruction Fuzzy Hash: 9A418272A00219ABEF219FA4CC45FEA7BB9EF48354F100526F958E7281D7B59981CB90

Function 00A3BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A3BCFD
IsMenu.USER32(00000000), ref: 00A3BD1D
CreatePopupMenu.USER32 ref: 00A3BD53
GetMenuItemCount.USER32(00ED5710), ref: 00A3BDA4
InsertMenuItemW.USER32(00ED5710,?,00000001,00000030), ref: 00A3BDCC

Strings

0, xrefs: 00A3BCA8
2, xrefs: 00A3BD37

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 95fbd6b7ad45a3ec41dca9ae64f9798261541d6964994e16c8d1728d02afadc2
Instruction ID: 7b0c50b415e8b98b04a24dc62f92133d2397d3d2edb32f20e45193302517d81c
Opcode Fuzzy Hash: 95fbd6b7ad45a3ec41dca9ae64f9798261541d6964994e16c8d1728d02afadc2
Instruction Fuzzy Hash: 6951BF70A102099BDF20DFA8D984BAEBBF6BF453A4F24411AF641E7291D7709941CB71

Function 00A681DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00A2F3AB,00000000,?,?,00000000,?,00A2682C,00000004,00000000,00000000), ref: 00A6824C
EnableWindow.USER32(?,00000000), ref: 00A68272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00A682D1
ShowWindow.USER32(?,00000004), ref: 00A682E5
EnableWindow.USER32(?,00000001), ref: 00A6830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00A6832F

Strings

V, xrefs: 00A68206, 00A68252, 00A68299, 00A682D7, 00A682EB

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: V
API String ID: 642888154-4045069856
Opcode ID: 0a859b0683163b5214b9f80ad6f6857003cd0fae791a9abcbf06c8f37d34d9cd
Instruction ID: 1247eeded8d2b28db7eca493f44132cf08fea372c4ae528b6505a09a5204b956
Opcode Fuzzy Hash: 0a859b0683163b5214b9f80ad6f6857003cd0fae791a9abcbf06c8f37d34d9cd
Instruction Fuzzy Hash: 1841E634601641AFDB22CF65C8A9BE47BF4FB0A714F180369E5584F2B2CB39A842CB40

Function 00A3C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00A3C913

Strings

blank, xrefs: 00A3C895
warning, xrefs: 00A3C8FC
question, xrefs: 00A3C8CC
info, xrefs: 00A3C8B4
stop, xrefs: 00A3C8E4

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 6a5eba254a968aa2ee76c5da39e7bdeb6885fbf19ef74bd2c65d37b1cd8c3273
Instruction ID: 4c542e4b30c12bd87f1f9c4b9ff78c0f23e1a9c9c40ed1c7baeb231abc9b2936
Opcode Fuzzy Hash: 6a5eba254a968aa2ee76c5da39e7bdeb6885fbf19ef74bd2c65d37b1cd8c3273
Instruction Fuzzy Hash: 4511DD3278930ABAEB059B549C83EBB77ECDF15774F51046AF500B6282D7B5AF005364

Function 00A3DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A3DE42
gethostname.WSOCK32(?,00000100), ref: 00A3DE5C
gethostbyname.WSOCK32(?), ref: 00A3DE69
inet_ntoa.WSOCK32(?), ref: 00A3DEAB
_strcat.LIBCMT ref: 00A3DEB9
WSACleanup.WSOCK32 ref: 00A3DEDE

Strings

0.0.0.0, xrefs: 00A3DE87

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: f7e4817679b36517d5009a0098ecc24652bd15d29362dd00fd1af5887e82f84f
Instruction ID: ebe06fd90b04cd7960dd4b32bf0a3f5dddd9a0f09742e280b66c15be6de93ee8
Opcode Fuzzy Hash: f7e4817679b36517d5009a0098ecc24652bd15d29362dd00fd1af5887e82f84f
Instruction Fuzzy Hash: 5D110A31904218EFCB20AB60AC0AEFF7BBCDF50720F14016AF54596091EFB19A818B50

Function 00A3ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00A3ED2A
_wcslen.LIBCMT ref: 00A3ED3B
_wcslen.LIBCMT ref: 00A3ED79
_wcslen.LIBCMT ref: 00A3EDAF
_wcslen.LIBCMT ref: 00A3EDDF
_wcslen.LIBCMT ref: 00A3EDEF
_wcslen.LIBCMT ref: 00A3EE2B
_wcslen.LIBCMT ref: 00A3EE5A

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: d687986b01aa5e072ab10c85fd855aec0dae914f66fbc536cdebebabc02754d5
Instruction ID: bc55ca1ffe34e1531947458c8499d04ad62efec51e97f6a547e3f4495e2d2db1
Opcode Fuzzy Hash: d687986b01aa5e072ab10c85fd855aec0dae914f66fbc536cdebebabc02754d5
Instruction Fuzzy Hash: 6141B265D1021C75CB11EBF4888AADFB7A8AF85710F508466F628E3161FB34E255C3E5

Function 009EF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00A2682C,00000004,00000000,00000000), ref: 009EF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00A2682C,00000004,00000000,00000000), ref: 00A2F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00A2682C,00000004,00000000,00000000), ref: 00A2F454

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 56488a76a5902e6622c0f259e1356864f88c7112cb1d12c53b4239af0fde0ba0
Instruction ID: 76af1a1f97d49d56fff03255610a6c1e66bd69906489af6b24c12a1bd767836e
Opcode Fuzzy Hash: 56488a76a5902e6622c0f259e1356864f88c7112cb1d12c53b4239af0fde0ba0
Instruction Fuzzy Hash: BF4128302086C0BEC73ADB3ED8A873A7BB5AB46360F15443EE0C757562D6B5AC81CB11

Function 00A62D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A62D1B
GetDC.USER32(00000000), ref: 00A62D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A62D2E
ReleaseDC.USER32(00000000,00000000), ref: 00A62D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A62D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A62D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A65A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00A62DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A62DE1

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 7715b1ad5b47aa0626946c877ef1a5b5bb9c25681dc741b897276308a6358ba8
Instruction ID: fae54022e3261fde6e764d8d9f27a2eed4cbd944e998ed312ff4557c07764109
Opcode Fuzzy Hash: 7715b1ad5b47aa0626946c877ef1a5b5bb9c25681dc741b897276308a6358ba8
Instruction Fuzzy Hash: 7A316976201614BBEB218F90CC8AFFB3BA9EB09725F044055FE489A291C6B59C51CBA4

Function 00A35622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00A35637
_memcmp.LIBVCRUNTIME ref: 00A35659
_memcmp.LIBVCRUNTIME ref: 00A35671
_memcmp.LIBVCRUNTIME ref: 00A35684
_memcmp.LIBVCRUNTIME ref: 00A3569E
_memcmp.LIBVCRUNTIME ref: 00A356B1
_memcmp.LIBVCRUNTIME ref: 00A356C9
_memcmp.LIBVCRUNTIME ref: 00A356E4

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 827df5aad896a22f255eff738f3546c909c45e86308aa49b5152d439ba6183e9
Instruction ID: 5f2183cb05df89659a95bd41ed202fdab76c4e8b97adb02a8be33fd200c2e799
Opcode Fuzzy Hash: 827df5aad896a22f255eff738f3546c909c45e86308aa49b5152d439ba6183e9
Instruction Fuzzy Hash: 8221A4B1E44A09BBD21456399E83FBA336DBF60384F880420FE059A681F760ED10C2E5

Function 00A54FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00A5502E, 00A55383
Not an Object type, xrefs: 00A55007

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 2a715854d8188e0f75d761f68f870670689040ed66fb7ab19db62781955b6231
Instruction ID: 7fd46d14d13ede15532d10db626dbc0f21f6092f02bac2c9abadd9490effda85
Opcode Fuzzy Hash: 2a715854d8188e0f75d761f68f870670689040ed66fb7ab19db62781955b6231
Instruction Fuzzy Hash: FDD1D171E0060AAFDF10CFA8C8A0BAEB7B5BF48354F148169E915AB280E770DD49CB50

Function 00A11522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00A117FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00A115CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00A117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00A11651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00A117FB,?,00A117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00A116E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00A117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00A116FB

Part of subcall function 00A03820: RtlAllocateHeap.NTDLL(00000000,?,00AA1444,?,009EFDF5,?,?,009DA976,00000010,00AA1440,009D13FC,?,009D13C6,?,009D1129), ref: 00A03852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00A117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00A11777
__freea.LIBCMT ref: 00A117A2
__freea.LIBCMT ref: 00A117AE

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 152bccf2dcbe510ad80849ab05aad0329816943db815719d18cc367d7b2b848c
Instruction ID: fddd3e0b00640eb3aae77e7511940718ac9e4a11a03986be311164c947c66571
Opcode Fuzzy Hash: 152bccf2dcbe510ad80849ab05aad0329816943db815719d18cc367d7b2b848c
Instruction Fuzzy Hash: 8091B672E002169EDF208F74DD81AEEBBBA9F49360F184659EA11E7281D735DDC1CB60

Function 00A54523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A54648
VariantInit.OLEAUT32(?), ref: 00A54749
VariantClear.OLEAUT32(?), ref: 00A54753
VariantClear.OLEAUT32(?), ref: 00A547B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00A545D8, 00A54706, 00A547BE
Incorrect Object type in FOR..IN loop, xrefs: 00A5472C

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: bdee9922e90a0c6760a827b0dde8342ea3902c93f1164f43413fa2a524cfadc8
Instruction ID: f2fd76fcd20050e3e26d187fd046dd68e3e8f731c3db7aec69902d3330d696c5
Opcode Fuzzy Hash: bdee9922e90a0c6760a827b0dde8342ea3902c93f1164f43413fa2a524cfadc8
Instruction Fuzzy Hash: 00919471A00215AFDF20CFA5C848FAE7BB8FF49719F108559F905AB281D7709989CFA0

Function 00A41187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00A4125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00A41284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00A412A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A412D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A4135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A413C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A41430

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 25dade173216cb36d75c242781d6cb090d280bb2fdd18f3481c62685ea3fb813
Instruction ID: 8606a04d7ef10fa98aee59b32f8bad8c0c594b25b1e51e3d816506268933b4de
Opcode Fuzzy Hash: 25dade173216cb36d75c242781d6cb090d280bb2fdd18f3481c62685ea3fb813
Instruction Fuzzy Hash: A191E479A002199FDB00DF98C888BFEB7B5FF85325F144429E950EB291D7B4E981CB90

Function 009E948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 435528907d4e2fe80b3fe3e123c52edcc6131c7e2fbf53ece46ed10e167d2fe7
Instruction ID: 894398cb0e398d3a595ff58a6f8ab35a8461092faa4b289d8538461dc6043297
Opcode Fuzzy Hash: 435528907d4e2fe80b3fe3e123c52edcc6131c7e2fbf53ece46ed10e167d2fe7
Instruction Fuzzy Hash: 7A911571904219EFCB11CFA9CC84AEEBBB8FF89320F144555E915B7251D778AE42CB60

Function 00A53947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A5396B
CharUpperBuffW.USER32(?,?), ref: 00A53A7A
_wcslen.LIBCMT ref: 00A53A8A
VariantClear.OLEAUT32(?), ref: 00A53C1F

Part of subcall function 00A40CDF: VariantInit.OLEAUT32(00000000), ref: 00A40D1F
Part of subcall function 00A40CDF: VariantCopy.OLEAUT32(?,?), ref: 00A40D28
Part of subcall function 00A40CDF: VariantClear.OLEAUT32(?), ref: 00A40D34

Strings

AUTOIT.ERROR, xrefs: 00A53A80, 00A53A85
Incorrect Parameter format, xrefs: 00A539A6, 00A53BA1

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: e218449ef745fb8052d80104ef721a7c692d908ccee0d611fa7bcb18879ce981
Instruction ID: e8bcefec4d29588b783b9cf10693928fbdce91b882885c57fba1965454a772f2
Opcode Fuzzy Hash: e218449ef745fb8052d80104ef721a7c692d908ccee0d611fa7bcb18879ce981
Instruction Fuzzy Hash: 519156756083059FCB00EF24C48096AB7E4BFC8755F14892EF88A9B351DB31EE49CB92

Function 00A54BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00A3000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A2FF41,80070057,?,?,?,00A3035E), ref: 00A3002B
Part of subcall function 00A3000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A2FF41,80070057,?,?), ref: 00A30046
Part of subcall function 00A3000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A2FF41,80070057,?,?), ref: 00A30054
Part of subcall function 00A3000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A2FF41,80070057,?), ref: 00A30064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00A54C51
_wcslen.LIBCMT ref: 00A54D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00A54DCF
CoTaskMemFree.OLE32(?), ref: 00A54DDA

Strings

NULL Pointer assignment, xrefs: 00A54E23, 00A54E52

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 9d606039bf4845cab3c67cf6b743bebe10d7f8e69c317eb3d79739f537a4f005
Instruction ID: 580c86758277e5298d44154b97d2b658dadb50dfc183cbe8afba2f932e65de56
Opcode Fuzzy Hash: 9d606039bf4845cab3c67cf6b743bebe10d7f8e69c317eb3d79739f537a4f005
Instruction Fuzzy Hash: 3C913671D0021DAFDF14DFA4D891AEEB7B8BF48314F10816AE915A7281EB749E48CF60

Function 00A620FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00A62183
GetMenuItemCount.USER32(00000000), ref: 00A621B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A621DD
_wcslen.LIBCMT ref: 00A62213
GetMenuItemID.USER32(?,?), ref: 00A6224D
GetSubMenu.USER32(?,?), ref: 00A6225B

Part of subcall function 00A33A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A33A57
Part of subcall function 00A33A3D: GetCurrentThreadId.KERNEL32 ref: 00A33A5E
Part of subcall function 00A33A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A325B3), ref: 00A33A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A622E3

Part of subcall function 00A3E97B: Sleep.KERNEL32 ref: 00A3E9F3

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 96c8805af02d9cefb1863d24c615043847bbaf144f6aa3101fa2e7aa9ccfd59e
Instruction ID: 1cefb1ddf75cfb8dd429bb5e1d18adbee2d16108aa6d4a695248b6eddc0ec2fb
Opcode Fuzzy Hash: 96c8805af02d9cefb1863d24c615043847bbaf144f6aa3101fa2e7aa9ccfd59e
Instruction Fuzzy Hash: CB718C75E00605AFCB10DFA8C895BAEB7F5EF88320F148459E956EB341DB74EE418B90

Function 00A3AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00A3AEF9
GetKeyboardState.USER32(?), ref: 00A3AF0E
SetKeyboardState.USER32(?), ref: 00A3AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00A3AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00A3AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00A3AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00A3B020

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4e58d44e0d8e114631076cd0f0e6fe576355f445329e2bcf39920586b89119f2
Instruction ID: 9a5367425733a0d52ab9842bb9c7428f2b0b0185536729b6af341b882c469a40
Opcode Fuzzy Hash: 4e58d44e0d8e114631076cd0f0e6fe576355f445329e2bcf39920586b89119f2
Instruction Fuzzy Hash: 3051C2A06147E53DFB368334CC45BBBBEAA5B06304F088589F2D9598D2C3D9ACC8D761

Function 00A3ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00A3AD19
GetKeyboardState.USER32(?), ref: 00A3AD2E
SetKeyboardState.USER32(?), ref: 00A3AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00A3ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00A3ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00A3AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00A3AE38

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c107a83f418a4ecbf5b153f6ce7db6d4b583d6aeb77fb9486ab88eb202308eeb
Instruction ID: 3fcb7fbe87cc102706bcacb0035ce179a4614db9329d997c67aba861575f9798
Opcode Fuzzy Hash: c107a83f418a4ecbf5b153f6ce7db6d4b583d6aeb77fb9486ab88eb202308eeb
Instruction Fuzzy Hash: 2651E4A16047F53DFB378374CC55BBABEA96B56300F188588F1D94A8C2D394EC88D762

Function 00A0542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00A13CD6,?,?,?,?,?,?,?,?,00A05BA3,?,?,00A13CD6,?,?), ref: 00A05470
__fassign.LIBCMT ref: 00A054EB
__fassign.LIBCMT ref: 00A05506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00A13CD6,00000005,00000000,00000000), ref: 00A0552C
WriteFile.KERNEL32(?,00A13CD6,00000000,00A05BA3,00000000,?,?,?,?,?,?,?,?,?,00A05BA3,?), ref: 00A0554B
WriteFile.KERNEL32(?,?,00000001,00A05BA3,00000000,?,?,?,?,?,?,?,?,?,00A05BA3,?), ref: 00A05584

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 60a32f9b020e35ca953baaeb5f580f3ec6cc978a77fd94e13cc51cc261f21031
Instruction ID: 560d050e0960b630373bd119bb5b56dd277f4c88438044c829881b40ae34da49
Opcode Fuzzy Hash: 60a32f9b020e35ca953baaeb5f580f3ec6cc978a77fd94e13cc51cc261f21031
Instruction Fuzzy Hash: 97518F71E006499FDB10CFA8EC85AEEBBF9EF0A310F14415AE555E7291D770AA41CF60

Function 00A66B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00A66C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00A66C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00A66C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00A4AB79,00000000,00000000), ref: 00A66C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00A66CC7

Strings

V, xrefs: 00A66BB0, 00A66C55

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID: V
API String ID: 3688381893-4045069856
Opcode ID: cba8a23289048a895dd531772f2e950d3035f5d42d0493773132dde5ac23ba86
Instruction ID: f890e739ec9c3b7b5edafda1a76da8067115c54b26a4c0f221d3165359ee6cf0
Opcode Fuzzy Hash: cba8a23289048a895dd531772f2e950d3035f5d42d0493773132dde5ac23ba86
Instruction Fuzzy Hash: E041B135A04504BFDB24CF68CD58FBA7BB9EB09360F150268F899A72E0C371AD41CA90

Function 009F2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 009F2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 009F2D53
_ValidateLocalCookies.LIBCMT ref: 009F2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 009F2E0C
_ValidateLocalCookies.LIBCMT ref: 009F2E61

Strings

csm, xrefs: 009F2DF6

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 6cb1e5d7f453a4194c1adaab537f4e1cd7c9f0bafbf80b9b116e991227fd74b0
Instruction ID: a918c9f86b2b506cef6d5010537ef8dad9579d31635de277d6556976ade7db09
Opcode Fuzzy Hash: 6cb1e5d7f453a4194c1adaab537f4e1cd7c9f0bafbf80b9b116e991227fd74b0
Instruction Fuzzy Hash: FE419334A0020DEBCF10DF68C845BBEBBB5BF85364F148155EA14AB392D7359A55CB90

Function 00A510B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5304E: inet_addr.WSOCK32(?), ref: 00A5307A
Part of subcall function 00A5304E: _wcslen.LIBCMT ref: 00A5309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00A51112
WSAGetLastError.WSOCK32 ref: 00A51121
WSAGetLastError.WSOCK32 ref: 00A511C9
closesocket.WSOCK32(00000000), ref: 00A511F9

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: de5a6d3bdb4b96e6556a1d5d0b123a445c4165c0f72b541bcae57156911015a9
Instruction ID: 46cdc7e4c0e7e2a536d2081a7bcf8af84f176a6fdcecf612523b03fc0e55cde0
Opcode Fuzzy Hash: de5a6d3bdb4b96e6556a1d5d0b123a445c4165c0f72b541bcae57156911015a9
Instruction Fuzzy Hash: 9641E131200604AFDB10DF64C884BB9BBB9FF84365F148299FD469B292D774AD46CBE0

Function 00A3CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A3CF22,?), ref: 00A3DDFD

Part of subcall function 00A3DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A3CF22,?), ref: 00A3DE16

lstrcmpiW.KERNEL32(?,?), ref: 00A3CF45
MoveFileW.KERNEL32(?,?), ref: 00A3CF7F
_wcslen.LIBCMT ref: 00A3D005
_wcslen.LIBCMT ref: 00A3D01B
SHFileOperationW.SHELL32(?), ref: 00A3D061

Strings

\*.*, xrefs: 00A3CFF3

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: b32eb9442d6c9d8ec2c0c73ad3bc5902a8543e0956a031eb2ca5be6b062e03a1
Instruction ID: 0ca2a534daa1b374265265bf7e626e157c02dbd85e2889ad722f0c182dfa0b99
Opcode Fuzzy Hash: b32eb9442d6c9d8ec2c0c73ad3bc5902a8543e0956a031eb2ca5be6b062e03a1
Instruction Fuzzy Hash: F1415671D452189FDF12EBA4DE81AEEB7B8AF48790F0000E6F545EB141EB34AA85CF50

Function 00A63D7C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A63E35
IsMenu.USER32(?), ref: 00A63E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A63E92
DrawMenuBar.USER32 ref: 00A63EA5

Strings

0, xrefs: 00A63D89
V, xrefs: 00A63DF7, 00A63E12

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0$V
API String ID: 3076010158-3648174478
Opcode ID: c7008068d7009ab80cc206779954740b5ae1612491d2f1515c072080835f0f31
Instruction ID: b01b6ea87d0a1f299d05431f572bd533a75cf84e36da06c83ec90ca1af240744
Opcode Fuzzy Hash: c7008068d7009ab80cc206779954740b5ae1612491d2f1515c072080835f0f31
Instruction Fuzzy Hash: 93414776A01209EFDF10DFA0D884AAABBF9FF49360F044129F905A7250D775AE56CF60

Function 00A37726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A37769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A3778F
SysAllocString.OLEAUT32(00000000), ref: 00A37792
SysAllocString.OLEAUT32(?), ref: 00A377B0
SysFreeString.OLEAUT32(?), ref: 00A377B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00A377DE
SysAllocString.OLEAUT32(?), ref: 00A377EC

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f53689e89173d063955678edcb619dfb38e89e4165770f3eed4853949073f69b
Instruction ID: 7f208278433a3aa26ba1873b2dca240e220d84d8a61d3058b761cbb71af0452c
Opcode Fuzzy Hash: f53689e89173d063955678edcb619dfb38e89e4165770f3eed4853949073f69b
Instruction Fuzzy Hash: 192192B6608219AFDB20DFA9CC88DBF77ACEB09764B048026F915DB150D670DC42C760

Function 00A377FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A37842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A37868
SysAllocString.OLEAUT32(00000000), ref: 00A3786B
SysAllocString.OLEAUT32 ref: 00A3788C
SysFreeString.OLEAUT32 ref: 00A37895
StringFromGUID2.OLE32(?,?,00000028), ref: 00A378AF
SysAllocString.OLEAUT32(?), ref: 00A378BD

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b28434235be539a32f87dadee1b791f9891554fb90659f8f727a86d48816a6e8
Instruction ID: ebe472ed24cb742325cfcf8ff44afb020c9eea912f45b5d91585a28f6803e628
Opcode Fuzzy Hash: b28434235be539a32f87dadee1b791f9891554fb90659f8f727a86d48816a6e8
Instruction Fuzzy Hash: 6C215E72609205AFDB20DBE9DC8CDBA77BCEB09760B108125F915DB2A1DA70DC81CB64

Function 00A404D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00A404F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A4052E

Strings

nul, xrefs: 00A40567

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: a23b1c9518213019314d85efb11dbbd20c0c5b610524f17de720e420823161c8
Instruction ID: 22a740c1de708ed3d2cd16b2a06a6d58b3a87d61417eebcb0fd10e69dfcd9d41
Opcode Fuzzy Hash: a23b1c9518213019314d85efb11dbbd20c0c5b610524f17de720e420823161c8
Instruction Fuzzy Hash: C021A278500305ABCF209F69DC04E9A7BB4EF84720F208A19F9A1D72E0D7B09940EF21

Function 00A405A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00A405C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A40601

Strings

nul, xrefs: 00A40639

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 87492b4da2ee3ef9a1262cf97e7d0d855477a552036bc6e2b9b22e09f49227e2
Instruction ID: dc75ebbd6dad171d750a2b733f7edbe9b96f211d07300e000371d12d729ccbce
Opcode Fuzzy Hash: 87492b4da2ee3ef9a1262cf97e7d0d855477a552036bc6e2b9b22e09f49227e2
Instruction Fuzzy Hash: FB2174795003059BDB209F698C04E9ABBF4AFD5730F204A19EAA2D72D0D7F09851EB10

Function 00A640AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009D604C
Part of subcall function 009D600E: GetStockObject.GDI32(00000011), ref: 009D6060
Part of subcall function 009D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 009D606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A64112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A6411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A6412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A64139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A64145

Strings

Msctls_Progress32, xrefs: 00A640E3

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: ffc94208c2c3014ef3eaa929c912b0fdd1d3a5731afd9a76525c0c026ef93dd6
Instruction ID: 45f3d74d2084be92728d068525fa12b78a2db83b435257363474b83d6c91feb5
Opcode Fuzzy Hash: ffc94208c2c3014ef3eaa929c912b0fdd1d3a5731afd9a76525c0c026ef93dd6
Instruction Fuzzy Hash: D111B6B11501197EEF119F64CC85EE77F6DEF09798F014111FB18A2150C7769C61DBA4

Function 009E990F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009E98CC
SetTextColor.GDI32(?,?), ref: 009E98D6
SetBkMode.GDI32(?,00000001), ref: 009E98E9
GetStockObject.GDI32(00000005), ref: 009E98F1
GetWindowLongW.USER32(?,000000EB), ref: 009E9952

Strings

V, xrefs: 009E9960

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID: V
API String ID: 1860813098-4045069856
Opcode ID: b2a75ea74ac63d8c409044e11df57e6b4a745acfe2ecf5cd22b86da7d2eacdaa
Instruction ID: ea79a59d1c4aefff381ceeec3a586b8a45530e929ad2ccb0cf952bc2cb8935e4
Opcode Fuzzy Hash: b2a75ea74ac63d8c409044e11df57e6b4a745acfe2ecf5cd22b86da7d2eacdaa
Instruction Fuzzy Hash: 302102321452A0ABCB238F66EC54AFA3B34EF27331F18015AF9828B1A2D7754D51CB91

Function 00A0D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A0D7A3: _free.LIBCMT ref: 00A0D7CC

_free.LIBCMT ref: 00A0D82D

Part of subcall function 00A029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A0D7D1,00000000,00000000,00000000,00000000,?,00A0D7F8,00000000,00000007,00000000,?,00A0DBF5,00000000), ref: 00A029DE
Part of subcall function 00A029C8: GetLastError.KERNEL32(00000000,?,00A0D7D1,00000000,00000000,00000000,00000000,?,00A0D7F8,00000000,00000007,00000000,?,00A0DBF5,00000000,00000000), ref: 00A029F0

_free.LIBCMT ref: 00A0D838
_free.LIBCMT ref: 00A0D843
_free.LIBCMT ref: 00A0D897
_free.LIBCMT ref: 00A0D8A2
_free.LIBCMT ref: 00A0D8AD
_free.LIBCMT ref: 00A0D8B8

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: b9981c24394edab6c654e8573e23f0f001aed8659c41f23a684e6b55669c3741
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 50113072540B0CBAD621BFF4EE4BFCB7BDCAF84740F404825B299AA4D2DA75B5058760

Function 00A3DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00A3DA74
LoadStringW.USER32(00000000), ref: 00A3DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00A3DA91
LoadStringW.USER32(00000000), ref: 00A3DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A3DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00A3DAB9

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: d03bf6eaf848fc68cc9321ec997c8466a7270d1d5ee2df4a7c09141b3af3a82f
Instruction ID: e260994ccddb9b91a3a4c0719414f167b96d2688723f3c1979a5c50be6d650a6
Opcode Fuzzy Hash: d03bf6eaf848fc68cc9321ec997c8466a7270d1d5ee2df4a7c09141b3af3a82f
Instruction Fuzzy Hash: A4014FF6900208BBE710DBE49D89EF7727CEB08351F400592F756E6041E6B49E854B74

Function 00A4096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00ECD278,00ECD278), ref: 00A4097B
EnterCriticalSection.KERNEL32(00ECD258,00000000), ref: 00A4098D
TerminateThread.KERNEL32(?,000001F6), ref: 00A4099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00A409A9
CloseHandle.KERNEL32(?), ref: 00A409B8
InterlockedExchange.KERNEL32(00ECD278,000001F6), ref: 00A409C8
LeaveCriticalSection.KERNEL32(00ECD258), ref: 00A409CF

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 3c04128dddd5ea828fcfbc232de851ee6c2b7d3a89a466f80edbd7a1b3b2ea26
Instruction ID: 22f16ac34a04ebab227dafcebbc043e658d86e28d8c770b07829e29a1607763f
Opcode Fuzzy Hash: 3c04128dddd5ea828fcfbc232de851ee6c2b7d3a89a466f80edbd7a1b3b2ea26
Instruction Fuzzy Hash: F3F03131442512FBD742AFE4EE9CBE6BB35FF41712F401015F241508A1C7B59466DFA0

Function 00A51C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00A51DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00A51DE1
WSAGetLastError.WSOCK32 ref: 00A51DF2
htons.WSOCK32(?), ref: 00A51EDB
inet_ntoa.WSOCK32(?), ref: 00A51E8C

Part of subcall function 00A339E8: _strlen.LIBCMT ref: 00A339F2

Part of subcall function 00A53224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00A4EC0C), ref: 00A53240

_strlen.LIBCMT ref: 00A51F35

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: a36ea80e7454e175982bc7faca2ab620aa18852fc33b43e74bb5005bce36e45f
Instruction ID: 8b9f3379518b6ba084c848ef906bcafa3bd2aa22f592bc15e28ffb974118472a
Opcode Fuzzy Hash: a36ea80e7454e175982bc7faca2ab620aa18852fc33b43e74bb5005bce36e45f
Instruction Fuzzy Hash: 5FB18931204340AFC724DF24C895F3A7BA5BF84318F54894DF8565B2A2DB71ED4ACB91

Function 009D5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 009D5D30
GetWindowRect.USER32(?,?), ref: 009D5D71
ScreenToClient.USER32(?,?), ref: 009D5D99
GetClientRect.USER32(?,?), ref: 009D5ED7
GetWindowRect.USER32(?,?), ref: 009D5EF8

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 4bed4e9f83521cc95dded155d58205cbf389fe30791a7214944e4b7f12dccb6b
Instruction ID: 9201913009c167e0cc54c3165941d6b1294d31fd6608529c9d5d893f8b2b14c0
Opcode Fuzzy Hash: 4bed4e9f83521cc95dded155d58205cbf389fe30791a7214944e4b7f12dccb6b
Instruction Fuzzy Hash: 9FB17A34A0064ADBDB10DFA8C4807EEB7F1FF58310F14C91AE8A9D7250DB34AA91DB64

Function 00A001B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00A000BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A000D6
__allrem.LIBCMT ref: 00A000ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A0010B
__allrem.LIBCMT ref: 00A00122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A00140

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 9c766f61a010ff6dd37ea34d8c5aa4c9ba008be13db4f8b63f1b50c5f4e801be
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 5281E672A00B0E9BE7209F68DD51FAB73E9EF41724F24463AF651D66C1E770D9408B90

Function 00A061FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009F82D9,009F82D9,?,?,?,00A0644F,00000001,00000001,8BE85006), ref: 00A06258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00A0644F,00000001,00000001,8BE85006,?,?,?), ref: 00A062DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00A063D8
__freea.LIBCMT ref: 00A063E5

Part of subcall function 00A03820: RtlAllocateHeap.NTDLL(00000000,?,00AA1444,?,009EFDF5,?,?,009DA976,00000010,00AA1440,009D13FC,?,009D13C6,?,009D1129), ref: 00A03852

__freea.LIBCMT ref: 00A063EE
__freea.LIBCMT ref: 00A06413

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 99b102fd20f11e51591abe20116480189eda355109335b2be102fd9c88653641
Instruction ID: f8dbaafeda124b81670ca91e7c8809884d16497e76cbaf1e4d9ef944ecee5a93
Opcode Fuzzy Hash: 99b102fd20f11e51591abe20116480189eda355109335b2be102fd9c88653641
Instruction Fuzzy Hash: 2F51D172A0021AABEF258F64ED91EBF77A9EF44758F144629FC05DA1C0DB34DC60C6A1

Function 00A5BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

Part of subcall function 00A5C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A5B6AE,?,?), ref: 00A5C9B5
Part of subcall function 00A5C998: _wcslen.LIBCMT ref: 00A5C9F1
Part of subcall function 00A5C998: _wcslen.LIBCMT ref: 00A5CA68
Part of subcall function 00A5C998: _wcslen.LIBCMT ref: 00A5CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A5BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A5BD25
RegCloseKey.ADVAPI32(00000000), ref: 00A5BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A5BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A5BDF3
RegCloseKey.ADVAPI32(?), ref: 00A5BDFF

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: fe9072e8517eb5142e8551c11286b54db803d59edca678179e639292780d7f26
Instruction ID: 25aa8002243bc636828c9eee1cceba2776149ce3ab9a24a308e6a8caf2b16fd6
Opcode Fuzzy Hash: fe9072e8517eb5142e8551c11286b54db803d59edca678179e639292780d7f26
Instruction Fuzzy Hash: 89817C31218241AFD714DF24C891E2ABBF5FF84349F14855DF8994B2A2DB31ED49CBA2

Function 00A2F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00A2F7B9
SysAllocString.OLEAUT32(00000001), ref: 00A2F860
VariantCopy.OLEAUT32(00A2FA64,00000000), ref: 00A2F889
VariantClear.OLEAUT32(00A2FA64), ref: 00A2F8AD
VariantCopy.OLEAUT32(00A2FA64,00000000), ref: 00A2F8B1
VariantClear.OLEAUT32(?), ref: 00A2F8BB

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 531b768c049502b6bba02cbc78f61c8676440639c4d1778960f187c85b4a7ab4
Instruction ID: da7d2172ef82611ec258ccaa8f21deaa49c27f329ca3ece97720adf091353e70
Opcode Fuzzy Hash: 531b768c049502b6bba02cbc78f61c8676440639c4d1778960f187c85b4a7ab4
Instruction Fuzzy Hash: 71519635600320BEDF24AB69E895B39B3B4EF45710B249477F906DF295DB708C80C796

Function 00A4910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 009D7620: _wcslen.LIBCMT ref: 009D7625

Part of subcall function 009D6B57: _wcslen.LIBCMT ref: 009D6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00A494E5
_wcslen.LIBCMT ref: 00A49506
_wcslen.LIBCMT ref: 00A4952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00A49585

Strings

X, xrefs: 00A49412

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: a9ce22d07eea0041b1426a63fe5ea5f34005d505f7dcc0186ca58b13732d51e6
Instruction ID: 6009b5ea143cfc9bd34161867dd5b2bb654cde5983599a01aec93ada3033d143
Opcode Fuzzy Hash: a9ce22d07eea0041b1426a63fe5ea5f34005d505f7dcc0186ca58b13732d51e6
Instruction Fuzzy Hash: 29E16C356043409FD724EF24C881B6BB7E4AFC5314F14896DE8999B3A2DB31ED05CB92

Function 009E920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 009E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009E9BB2

BeginPaint.USER32(?,?,?), ref: 009E9241
GetWindowRect.USER32(?,?), ref: 009E92A5
ScreenToClient.USER32(?,?), ref: 009E92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 009E92D3
EndPaint.USER32(?,?,?,?,?), ref: 009E9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00A271EA

Part of subcall function 009E9339: BeginPath.GDI32(00000000), ref: 009E9357

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: c148e61a2f3a31820168315fe5b2b97caa530ed2bd728a60a73e693847a87541
Instruction ID: 62d386ab6b88583103c79a861e78d04ecbb9a2528518beb0de83634ba7bbff6a
Opcode Fuzzy Hash: c148e61a2f3a31820168315fe5b2b97caa530ed2bd728a60a73e693847a87541
Instruction Fuzzy Hash: 0941BF30104251AFD712DF65D884FBA7BB8EF46320F140629F9A4872F1C7709C46DB62

Function 00A407EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00A4080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00A40847
EnterCriticalSection.KERNEL32(?), ref: 00A40863
LeaveCriticalSection.KERNEL32(?), ref: 00A408DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00A408F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00A40921

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 7b131070ce93930f47c07be40cc60795d5c61e3c5fdb7bddd2f0e4166680fe0c
Instruction ID: f4d605fa858d936e6f7dec73caf2b9b6ffce58cbe17fc6c0db22f310090c51fe
Opcode Fuzzy Hash: 7b131070ce93930f47c07be40cc60795d5c61e3c5fdb7bddd2f0e4166680fe0c
Instruction Fuzzy Hash: 58418B71900205EBDF05EFA4DC85AAA7778FF84310F1040A9EE009A297DB70EE61DBA0

Function 00A34C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00A34C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A34CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A34CEA
_wcslen.LIBCMT ref: 00A34D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00A34D10
_wcsstr.LIBVCRUNTIME ref: 00A34D1A

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: e02d650c0ed56cb731494e893274b40ae8f6f1fcd7cd5c4e02446b26618150d3
Instruction ID: f1c8ca97460dcab0db25de89fac942bdc50c25b38c07f21be3bfe0783ae916db
Opcode Fuzzy Hash: e02d650c0ed56cb731494e893274b40ae8f6f1fcd7cd5c4e02446b26618150d3
Instruction Fuzzy Hash: 98213B32204200BBEB159B75EC09F7B7BACDF49760F10803EF805CA191DEA5EC0187A0

Function 00A4581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 009D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009D3A97,?,?,009D2E7F,?,?,?,00000000), ref: 009D3AC2

_wcslen.LIBCMT ref: 00A4587B
CoInitialize.OLE32(00000000), ref: 00A45995
CoCreateInstance.OLE32(00A6FCF8,00000000,00000001,00A6FB68,?), ref: 00A459AE
CoUninitialize.OLE32 ref: 00A459CC

Strings

.lnk, xrefs: 00A45876, 00A458C1, 00A45985

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 9474bd77a8f7c5d3ccbb414e91770b82071f256300f56f3e82725a92dd23c66f
Instruction ID: c90e1024fc65b542e797630088abb7b9c246728120214182d3901239e87a0326
Opcode Fuzzy Hash: 9474bd77a8f7c5d3ccbb414e91770b82071f256300f56f3e82725a92dd23c66f
Instruction Fuzzy Hash: BAD14279A086019FC714DF28C484A2ABBE1FFC9714F14895DF8899B362DB31EC45CB92

Function 00A3175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A30FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A30FCA
Part of subcall function 00A30FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A30FD6
Part of subcall function 00A30FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A30FE5
Part of subcall function 00A30FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A30FEC
Part of subcall function 00A30FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A31002

GetLengthSid.ADVAPI32(?,00000000,00A31335), ref: 00A317AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A317BA
HeapAlloc.KERNEL32(00000000), ref: 00A317C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00A317DA
GetProcessHeap.KERNEL32(00000000,00000000,00A31335), ref: 00A317EE
HeapFree.KERNEL32(00000000), ref: 00A317F5

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 7efb47afcb834bf0e8a9c92e7088ea29d06c7acc61368ae76d165697901fae86
Instruction ID: 5c9ad1e63a076b4cab301d055a9afc8681f737e2a0817fb0d361534189b61001
Opcode Fuzzy Hash: 7efb47afcb834bf0e8a9c92e7088ea29d06c7acc61368ae76d165697901fae86
Instruction Fuzzy Hash: EB117932600205EFDB21DFA4CC49FBE7BB9EB46369F184119F481A7210D776A945CF60

Function 00A314CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00A314FF
OpenProcessToken.ADVAPI32(00000000), ref: 00A31506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00A31515
CloseHandle.KERNEL32(00000004), ref: 00A31520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A3154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00A31563

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 1d109add480919fcee8916ec0687e7450265ae146bef093e7afb3d2a02ce5394
Instruction ID: a1ed67cb6ddf9e292e64b1611fdb15ee11d576def641511c44935db1772fe5c7
Opcode Fuzzy Hash: 1d109add480919fcee8916ec0687e7450265ae146bef093e7afb3d2a02ce5394
Instruction Fuzzy Hash: B1112972500249ABDF11CFD8DD49FEE7BB9EF48754F044015FA45A2160C3B58E61DB60

Function 009F3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,009F3379,009F2FE5), ref: 009F3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 009F339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009F33B7
SetLastError.KERNEL32(00000000,?,009F3379,009F2FE5), ref: 009F3409

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: bd87a20884895723989e827aa57d162f950aaaf19f2596b010952ff14222da8e
Instruction ID: f56765a500cdb31dcf8be4c449dee789a20338ce07f851b6bbd038463d961932
Opcode Fuzzy Hash: bd87a20884895723989e827aa57d162f950aaaf19f2596b010952ff14222da8e
Instruction Fuzzy Hash: B6014C33308B19BEE61567F47C867372A98DB45379760822AF710C42F0FF994D125344

Function 00A02D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A05686,00A13CD6,?,00000000,?,00A05B6A,?,?,?,?,?,009FE6D1,?,00A98A48), ref: 00A02D78
_free.LIBCMT ref: 00A02DAB
_free.LIBCMT ref: 00A02DD3
SetLastError.KERNEL32(00000000,?,?,?,?,009FE6D1,?,00A98A48,00000010,009D4F4A,?,?,00000000,00A13CD6), ref: 00A02DE0
SetLastError.KERNEL32(00000000,?,?,?,?,009FE6D1,?,00A98A48,00000010,009D4F4A,?,?,00000000,00A13CD6), ref: 00A02DEC
_abort.LIBCMT ref: 00A02DF2

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 463753bfe27a1e533a07663b8439bdac536d24052a49167fe0088eb2b84a2506
Instruction ID: e0273f822dd7fbd0315853e23da5efd5601492814aa2587d6dc75d571c85cf75
Opcode Fuzzy Hash: 463753bfe27a1e533a07663b8439bdac536d24052a49167fe0088eb2b84a2506
Instruction Fuzzy Hash: 0AF02232604B0827DA237378BD0EF6A266DAFC27B0F310519F824932E2EF208C024320

Function 00A68A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 009E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009E9693
Part of subcall function 009E9639: SelectObject.GDI32(?,00000000), ref: 009E96A2
Part of subcall function 009E9639: BeginPath.GDI32(?), ref: 009E96B9
Part of subcall function 009E9639: SelectObject.GDI32(?,00000000), ref: 009E96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00A68A4E
LineTo.GDI32(?,00000003,00000000), ref: 00A68A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00A68A70
LineTo.GDI32(?,00000000,00000003), ref: 00A68A80
EndPath.GDI32(?), ref: 00A68A90
StrokePath.GDI32(?), ref: 00A68AA0

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 14fdca17dfe22c8b55db7ce1741524885a9afac0742fa306db4a55c03a4f003b
Instruction ID: 0157a023385b1703d85f44914ce8a2fe6c4dd18fd4a2f32b7c13f3401145e97d
Opcode Fuzzy Hash: 14fdca17dfe22c8b55db7ce1741524885a9afac0742fa306db4a55c03a4f003b
Instruction Fuzzy Hash: AB11F776000109FFDB12DFD4EC88EAA7F6CEB083A0F018012FA599A1A1C7719D56DBA0

Function 00A351FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A35218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00A35229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A35230
ReleaseDC.USER32(00000000,00000000), ref: 00A35238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00A3524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00A35261

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 89c31c14e72d0de284f8ee96129e20f17c291b0fe4e3fec2801a73e3ce36f931
Instruction ID: 1ce0d3408ad461c5ad2f79e180674f6bed195f68c467cd1fa0d204847c854811
Opcode Fuzzy Hash: 89c31c14e72d0de284f8ee96129e20f17c291b0fe4e3fec2801a73e3ce36f931
Instruction Fuzzy Hash: 28018F75E00718BBEB109BF99C49A5EBFB8EF48361F044066FA04A7280D6B09801CBA0

Function 009D1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 009D1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 009D1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 009D1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 009D1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 009D1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 009D1C22

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 7a1caeaa53a5c4105f576dea24b04555c2c355269ca32ed6edd7e88b45d8e2c7
Instruction ID: ffb36eb83b23ebb67a5b8b5deffd5ba4479437fd91c59546aa936ac78c775548
Opcode Fuzzy Hash: 7a1caeaa53a5c4105f576dea24b04555c2c355269ca32ed6edd7e88b45d8e2c7
Instruction Fuzzy Hash: 0E0144B0902B5ABDE3008F6A8C85A52FEA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00A3EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A3EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00A3EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00A3EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A3EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A3EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A3EB75

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e054270823e0d6af94dffd5f23a1e2fce7c26705193d557084ddb58f145fb679
Instruction ID: bb4201644d911c68bb4a657a5589d1a9b3146dc7111db49b235735507ff35d5d
Opcode Fuzzy Hash: e054270823e0d6af94dffd5f23a1e2fce7c26705193d557084ddb58f145fb679
Instruction Fuzzy Hash: 3AF01D76240158BBE621AB92DC0DEBB7A7CEFCAB21F004158F642D119196E45A0286B5

Function 00A27439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00A27452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00A27469
GetWindowDC.USER32(?), ref: 00A27475
GetPixel.GDI32(00000000,?,?), ref: 00A27484
ReleaseDC.USER32(?,00000000), ref: 00A27496
GetSysColor.USER32(00000005), ref: 00A274B0

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 82a0c8479606cbce65a4ff48b1d84dbc67cf8f9fbbeb6da3cebbea4c3abb0889
Instruction ID: 807227fe86a1a3a27d57e57cd5cae4c222b819a52a1abc9d3674fc79c827c5d1
Opcode Fuzzy Hash: 82a0c8479606cbce65a4ff48b1d84dbc67cf8f9fbbeb6da3cebbea4c3abb0889
Instruction Fuzzy Hash: 58018B31400215EFDB51AFA4EC08BBE7BB6FB04321F105160F956A21E0CB711E42AB50

Function 00A31874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A3187F
UnloadUserProfile.USERENV(?,?), ref: 00A3188B
CloseHandle.KERNEL32(?), ref: 00A31894
CloseHandle.KERNEL32(?), ref: 00A3189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00A318A5
HeapFree.KERNEL32(00000000), ref: 00A318AC

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: b787f5759f84084e262d8cd018634accf1292c45354c87bceb633fbc66c65cab
Instruction ID: 79ee430b1fabf24473196583965074cdbd2e997188c520f50ec6bc73c4dd219c
Opcode Fuzzy Hash: b787f5759f84084e262d8cd018634accf1292c45354c87bceb633fbc66c65cab
Instruction Fuzzy Hash: 46E0E536004101BBDB01AFE2ED0C91AFF39FF4AB32B108221F26585170CBB29422DF60

Function 00A3C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009D7620: _wcslen.LIBCMT ref: 009D7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A3C6EE
_wcslen.LIBCMT ref: 00A3C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A3C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00A3C7CA

Strings

0, xrefs: 00A3C6AF

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: df9150116a572c3bc9efeef4f5528322ef85798d593fd132fd3b9c03877766b7
Instruction ID: 330eaec45ab04a3638d2cc5fd426e317411443884865c234299edacf1ca3f10e
Opcode Fuzzy Hash: df9150116a572c3bc9efeef4f5528322ef85798d593fd132fd3b9c03877766b7
Instruction Fuzzy Hash: 5E51AD71604341ABD7159F28CC89B6BB7E8AF89320F040A2EF995F32E1DB60DD04CB52

Function 00A5AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00A5AEA3

Part of subcall function 009D7620: _wcslen.LIBCMT ref: 009D7625

GetProcessId.KERNEL32(00000000), ref: 00A5AF38
CloseHandle.KERNEL32(00000000), ref: 00A5AF67

Strings

@, xrefs: 00A5AE72
<, xrefs: 00A5AE6B

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: c0b24abff065bc8f2e756ef40d02d6a4223147ecb096e731085d7beb3e4cbcce
Instruction ID: e5077595cff9a6958fe1656f13fe98913dc60c3bf766039d3ee33c8822891b87
Opcode Fuzzy Hash: c0b24abff065bc8f2e756ef40d02d6a4223147ecb096e731085d7beb3e4cbcce
Instruction Fuzzy Hash: 09714671A00219DFCB14EF94D485A9EBBF0BF48310F04859AE816AB352DB74ED49CB91

Function 00A66278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A662E2
ScreenToClient.USER32(?,?), ref: 00A66315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00A66382

Strings

V, xrefs: 00A662B1, 00A663AC

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: V
API String ID: 3880355969-4045069856
Opcode ID: 6d54b783b75bccbeb1ab54d9f47326b1021e2b41493da42f05701adbeec786a0
Instruction ID: c2de407c8efe00a914c8acc85289b718840abba2f9a52e418c59ec9088cd83ca
Opcode Fuzzy Hash: 6d54b783b75bccbeb1ab54d9f47326b1021e2b41493da42f05701adbeec786a0
Instruction Fuzzy Hash: 8051FA74A00209AFDF10DF68D981AAE7BB5EB45364F10815AF9659B390D770ED81CB50

Function 00A3719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A37206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00A3723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00A3724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A372CF

Strings

DllGetClassObject, xrefs: 00A37242

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: e4597897f62ca4b82626737ecc3de588b4d629d877f0c29e2e89927c3dc5fadf
Instruction ID: 75d21e3520c36e433fa98204aecf66bb770b9919d9f048db201b53ababe1c6c1
Opcode Fuzzy Hash: e4597897f62ca4b82626737ecc3de588b4d629d877f0c29e2e89927c3dc5fadf
Instruction Fuzzy Hash: 07412CB1A04205AFDB25CF94C884AAF7BB9EF49710F1480A9FD059F20AD7B1D945CBA0

Function 00A652C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00A65352
GetWindowLongW.USER32(?,000000F0), ref: 00A65375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A65382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A653A8

Strings

V, xrefs: 00A652F1

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID: V
API String ID: 3340791633-4045069856
Opcode ID: 1ed015d56f878461bbc8b7cd00a58bebd03f16d5136c64630c00f82c80ac2f70
Instruction ID: 92e8dccf6eb5ec834634de34306a114c36443fd6562b936a40847c3f2d719537
Opcode Fuzzy Hash: 1ed015d56f878461bbc8b7cd00a58bebd03f16d5136c64630c00f82c80ac2f70
Instruction Fuzzy Hash: D031BE34E55A08AFEB349F74CC26BE93775AB05B90F584102FA519E3E1C7B49980AB42

Function 00A67674 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00A6769A
GetWindowRect.USER32(?,?), ref: 00A67710
PtInRect.USER32(?,?,00A68B89), ref: 00A67720
MessageBeep.USER32(00000000), ref: 00A6778C

Strings

V, xrefs: 00A676D6, 00A67733

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID: V
API String ID: 1352109105-4045069856
Opcode ID: d120d8fe919416be5f508d479c696263a05748fd2017c9bd8aba89e870f7e35f
Instruction ID: 5eb82d9c59df4151c72d63a63de3dea87bb153b52468c8814e54fc27f5b41001
Opcode Fuzzy Hash: d120d8fe919416be5f508d479c696263a05748fd2017c9bd8aba89e870f7e35f
Instruction Fuzzy Hash: 2D419D38A15215EFDB01CFA8C894EADB7F5FF49318F1580A9E9159B2A1D730E942CF90

Function 00A31DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

Part of subcall function 00A33CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A33CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00A31E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00A31E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00A31EA9

Part of subcall function 009D6B57: _wcslen.LIBCMT ref: 009D6B6A

Strings

ListBox, xrefs: 00A31E25
ComboBox, xrefs: 00A31DF0

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 84af8f871dedcc704cb4eafe7b523626098fa3ecbb6b55cf62dd21ba20bf2d50
Instruction ID: 26a66976a9749cbac38fa7b184458304588cb9747eb85f343d0da97394afe236
Opcode Fuzzy Hash: 84af8f871dedcc704cb4eafe7b523626098fa3ecbb6b55cf62dd21ba20bf2d50
Instruction Fuzzy Hash: 07213871A40104BEDB14ABB4DC46DFFB7B8EF85760F20851AF825A72E1DB794D0A9620

Function 00A64653 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A64705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A64713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A6471A

Strings

V, xrefs: 00A646D0, 00A646EF
msctls_updown32, xrefs: 00A64684

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32$V
API String ID: 4014797782-1590291244
Opcode ID: c2d1d3fac16eae7c644e3a8cc408e7b6c337637e697b2f17cf8e4807d9e95e2d
Instruction ID: 4c841ce64e15b1e86d2bbed20acd03fd533036fba52a59d69995832277c0851b
Opcode Fuzzy Hash: c2d1d3fac16eae7c644e3a8cc408e7b6c337637e697b2f17cf8e4807d9e95e2d
Instruction Fuzzy Hash: 55215EB5600209AFEB10DF64DC91DB737BDEB9A3A4B040159FA009B2A1DB70EC52CA60

Function 00A68FC9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009E9BB2

GetCursorPos.USER32(?), ref: 00A69001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00A27711,?,?,?,?,?), ref: 00A69016
GetCursorPos.USER32(?), ref: 00A6905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00A27711,?,?,?), ref: 00A69094

Strings

V, xrefs: 00A6902E, 00A69064

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID: V
API String ID: 2864067406-4045069856
Opcode ID: 143e6f6929bc7c19de30d3cec5a50baf3e13ddf55c0dcb36a4de250d2cea7cbf
Instruction ID: ef2f37800dddb01d6f19a916b9862e06677d174ba2e64c637ffcf9e2ab5968db
Opcode Fuzzy Hash: 143e6f6929bc7c19de30d3cec5a50baf3e13ddf55c0dcb36a4de250d2cea7cbf
Instruction Fuzzy Hash: D4217C35601018AFCB26CF94CC58EFB7BB9EB8A360F154059F905472A1C3759951DB61

Function 00A62F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A62F8D
LoadLibraryW.KERNEL32(?), ref: 00A62F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A62FA9
DestroyWindow.USER32(?), ref: 00A62FB1

Strings

SysAnimate32, xrefs: 00A62F68

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: ebbdeacee1ccc9aa0b2347763647ff286745ce3df8a1101f69c1ae6d0fb5679f
Instruction ID: 22094e2a3162f43a56b4276505efbbde2c241138de038895b02b3ba4d0a91893
Opcode Fuzzy Hash: ebbdeacee1ccc9aa0b2347763647ff286745ce3df8a1101f69c1ae6d0fb5679f
Instruction Fuzzy Hash: 83218CB1204605ABEB108FA4DC80FBB77B9EF99364F104619FA50D61A0D7B1DC619760

Function 009F4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,009F4D1E,00A028E9,?,009F4CBE,00A028E9,00A988B8,0000000C,009F4E15,00A028E9,00000002), ref: 009F4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009F4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,009F4D1E,00A028E9,?,009F4CBE,00A028E9,00A988B8,0000000C,009F4E15,00A028E9,00000002,00000000), ref: 009F4DC3

Strings

mscoree.dll, xrefs: 009F4D86
CorExitProcess, xrefs: 009F4D98

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3badae4d0fe699e19954aafdeb9e6e77f0e4a1431c18326527ca8a30f259f716
Instruction ID: 475ccb5b850d1c4259efdd84141f047ce81a597edba4c5713d2bcc65c30efef0
Opcode Fuzzy Hash: 3badae4d0fe699e19954aafdeb9e6e77f0e4a1431c18326527ca8a30f259f716
Instruction Fuzzy Hash: 26F04F34A4020CBBDB159FD4DC49BBEBBB9EF44762F4041A5F909A62A0DB74A941CB90

Function 009D4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,009D4EDD,?,00AA1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009D4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 009D4EAE
FreeLibrary.KERNEL32(00000000,?,?,009D4EDD,?,00AA1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009D4EC0

Strings

kernel32.dll, xrefs: 009D4E94
Wow64DisableWow64FsRedirection, xrefs: 009D4EA8

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 962c1132b79dab12bea7976635fde1506e1c0a51c5322aa94e58e8fad3eb45b4
Instruction ID: 1ff0d741fb952d801d7e4028b2de81dbda08e346109fac6dd64227823978d5bf
Opcode Fuzzy Hash: 962c1132b79dab12bea7976635fde1506e1c0a51c5322aa94e58e8fad3eb45b4
Instruction Fuzzy Hash: 64E08636A415227BD22157656C18A7B6678AF82F727094216FC40D2200DBB4CD0240B0

Function 009D4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A13CDE,?,00AA1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009D4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 009D4E74
FreeLibrary.KERNEL32(00000000,?,?,00A13CDE,?,00AA1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009D4E87

Strings

kernel32.dll, xrefs: 009D4E5B
Wow64RevertWow64FsRedirection, xrefs: 009D4E6E

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 3ef18d5a66c6c906fcfd55f7d314d629cd79a102a532e90ae57972f850637672
Instruction ID: f4c83fe99a35b7d0e77598ec18005540323df18f0818587b78f3dbe278d011a1
Opcode Fuzzy Hash: 3ef18d5a66c6c906fcfd55f7d314d629cd79a102a532e90ae57972f850637672
Instruction Fuzzy Hash: 48D0C23264266177CA221B64BC08DAB2B3CBFC6F713054712F841A2210CFB4CD0281E1

Function 00A42947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A42C05
DeleteFileW.KERNEL32(?), ref: 00A42C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A42C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A42CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A42CC0

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 8d15dd26e16312fdd873a1edd17b495b5d826b91e0530be82fae8a81e7e01850
Instruction ID: d0419f8d3194822e35880500fa04d382a369ae0fa08b980b1da9a8a9f6b0d3fe
Opcode Fuzzy Hash: 8d15dd26e16312fdd873a1edd17b495b5d826b91e0530be82fae8a81e7e01850
Instruction Fuzzy Hash: 2CB14D7690011DABDF11EBA4CD85FEEBBBDEF88350F5040A6F609E7151EA309A448F61

Function 00A5A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00A5A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A5A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A5A468
CloseHandle.KERNEL32(?), ref: 00A5A63D

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 35d97062551bf92efa8f86821d0e011c74ba2573eb4475d894b0808dc5bfeafb
Instruction ID: ea78b084953de52a0ebe7d9b1b022e6d34e1f980f791271047af11da66a4ee1a
Opcode Fuzzy Hash: 35d97062551bf92efa8f86821d0e011c74ba2573eb4475d894b0808dc5bfeafb
Instruction Fuzzy Hash: 82A19D716043019FD720DF28D886F2AB7E1AF94714F14891DF99A9B392E7B0EC45CB92

Function 00A0BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00A73700), ref: 00A0BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00AA121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00A0BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00AA1270,000000FF,?,0000003F,00000000,?), ref: 00A0BC36
_free.LIBCMT ref: 00A0BB7F

Part of subcall function 00A029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A0D7D1,00000000,00000000,00000000,00000000,?,00A0D7F8,00000000,00000007,00000000,?,00A0DBF5,00000000), ref: 00A029DE
Part of subcall function 00A029C8: GetLastError.KERNEL32(00000000,?,00A0D7D1,00000000,00000000,00000000,00000000,?,00A0D7F8,00000000,00000007,00000000,?,00A0DBF5,00000000,00000000), ref: 00A029F0

_free.LIBCMT ref: 00A0BD4B

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 896c4c85d4d4e1846518595c91d1f13e8079b5dfedca2efddbb9e65dceb5bfad
Instruction ID: 03a95c9fddf1d4d1dd470d43aa755a66feacec6bd868b1de0e1c4087830a0475
Opcode Fuzzy Hash: 896c4c85d4d4e1846518595c91d1f13e8079b5dfedca2efddbb9e65dceb5bfad
Instruction Fuzzy Hash: 1F51F87191020DAFDB10EFA5AE81AEEB7BCEF45360F10426AE554D71D1EB309E458B60

Function 00A3E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A3CF22,?), ref: 00A3DDFD

Part of subcall function 00A3DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A3CF22,?), ref: 00A3DE16

Part of subcall function 00A3E199: GetFileAttributesW.KERNEL32(?,00A3CF95), ref: 00A3E19A

lstrcmpiW.KERNEL32(?,?), ref: 00A3E473
MoveFileW.KERNEL32(?,?), ref: 00A3E4AC
_wcslen.LIBCMT ref: 00A3E5EB
_wcslen.LIBCMT ref: 00A3E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00A3E650

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 0440f3d6b8ae3de901f17a3ee90e24e55c6044cf4a6b225a2e068e11bd376f39
Instruction ID: 1c5fb66f4cbbaa1f45d7430f6106152dcba9d8f4d6d4d159c80551276b3c4306
Opcode Fuzzy Hash: 0440f3d6b8ae3de901f17a3ee90e24e55c6044cf4a6b225a2e068e11bd376f39
Instruction Fuzzy Hash: B25165B25083459BC724EBA0DC81AEF77ECAF84354F00491EF6C9D3191EF75A5888756

Function 00A5B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

Part of subcall function 00A5C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A5B6AE,?,?), ref: 00A5C9B5
Part of subcall function 00A5C998: _wcslen.LIBCMT ref: 00A5C9F1
Part of subcall function 00A5C998: _wcslen.LIBCMT ref: 00A5CA68
Part of subcall function 00A5C998: _wcslen.LIBCMT ref: 00A5CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A5BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A5BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A5BB63
RegCloseKey.ADVAPI32(?,?), ref: 00A5BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00A5BBB3

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 9cd91194b870fb7c455cd3c6c653716b6e046a9d57bbf190962ecad02a93f91c
Instruction ID: 36a835b46462667d377102d734452ee4c9f2b7a469d2b34bc9148d6315e073f4
Opcode Fuzzy Hash: 9cd91194b870fb7c455cd3c6c653716b6e046a9d57bbf190962ecad02a93f91c
Instruction Fuzzy Hash: 2B61B031218241AFC314DF24C490E2ABBF5FF84349F15855DF8998B2A2DB31ED49CBA2

Function 00A38BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A38BCD
VariantClear.OLEAUT32 ref: 00A38C3E
VariantClear.OLEAUT32 ref: 00A38C9D
VariantClear.OLEAUT32(?), ref: 00A38D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A38D3B

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 711f3979e26cb93c4801de7aa60cd75f05986ab5d4d1bdecc6204d422d7fa7b3
Instruction ID: c65d0775844e8500c21d62d85e5d01cbe0c2242f5f02458b2cc732bd085c66ea
Opcode Fuzzy Hash: 711f3979e26cb93c4801de7aa60cd75f05986ab5d4d1bdecc6204d422d7fa7b3
Instruction Fuzzy Hash: 33515AB5A00219EFCB14CF68C894AAAB7F8FF89310F158559F905DB350EB34E911CB90

Function 00A48AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00A48BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00A48BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00A48C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00A48C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00A48C5F

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 1fd4683cc8bdfe658e6a5410b6d80baa2c0bfa7337871211db7dae3304eb9379
Instruction ID: 1b4563b93d46449bdf924db991775f3a5ff38388cd02d259acdfa4eb66c67033
Opcode Fuzzy Hash: 1fd4683cc8bdfe658e6a5410b6d80baa2c0bfa7337871211db7dae3304eb9379
Instruction Fuzzy Hash: 13515A35A002159FCB01DFA5D880AADBBF5FF88314F08C059E849AB362DB35ED41CB91

Function 00A58EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00A58F40
GetProcAddress.KERNEL32(00000000,?), ref: 00A58FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00A58FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00A59032
FreeLibrary.KERNEL32(00000000), ref: 00A59052

Part of subcall function 009EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00A41043,?,7529E610), ref: 009EF6E6
Part of subcall function 009EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00A2FA64,00000000,00000000,?,?,00A41043,?,7529E610,?,00A2FA64), ref: 009EF70D

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 1f11a2c5b327866898911c1835b3a2f4b921766597c0f0ff88157cb4a52b7cdc
Instruction ID: daecacf5506e2a436651a1398f6c98acb49a307eacffba0a81b41edf3ada0c2d
Opcode Fuzzy Hash: 1f11a2c5b327866898911c1835b3a2f4b921766597c0f0ff88157cb4a52b7cdc
Instruction Fuzzy Hash: FD513935600205DFC711EF58C4949ADBBF1FF49325B0581A9EC0AAB362DB31ED8ACB91

Function 00A02051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A020C3
_free.LIBCMT ref: 00A020E3

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7e1743d63b1caaaf4edc22c0fa78a429bfe5a1f8161a93df83b07fc9b151396e
Instruction ID: 4585cfce37bec15bc9538d73a472c469d8e1f98d19dac5207c1a66d3da68b0c3
Opcode Fuzzy Hash: 7e1743d63b1caaaf4edc22c0fa78a429bfe5a1f8161a93df83b07fc9b151396e
Instruction Fuzzy Hash: AD41D132A003089FCB24DF78D985B5EB7B5EF89314F1545A9E615EB392DA31AD01CB90

Function 009E912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 009E9141
ScreenToClient.USER32(00000000,?), ref: 009E915E
GetAsyncKeyState.USER32(00000001), ref: 009E9183
GetAsyncKeyState.USER32(00000002), ref: 009E919D

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 72e409ae1914ee2d59c7c87834f660b5f3c23acf751fc08d6ccee56a3952f354
Instruction ID: a8a4dad8424b20908aa4fc67877aac307ceafe5cf7208925035036f21b1f0227
Opcode Fuzzy Hash: 72e409ae1914ee2d59c7c87834f660b5f3c23acf751fc08d6ccee56a3952f354
Instruction Fuzzy Hash: 9141403190855AFBDF159F69D844BEEB774FF05320F204325E429A72A0C7746E54CB51

Function 00A43874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00A438CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00A43922
TranslateMessage.USER32(?), ref: 00A4394B
DispatchMessageW.USER32(?), ref: 00A43955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A43966

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 0d4878d6c0a8d3cff536ea0dba88659c1263b65318c84b28bccfb95483dddc2e
Instruction ID: 866cf0a1416e4eeffbec575810432109eb83e3c34a07e765d89abaad266da0e5
Opcode Fuzzy Hash: 0d4878d6c0a8d3cff536ea0dba88659c1263b65318c84b28bccfb95483dddc2e
Instruction Fuzzy Hash: B331F976904342EEEF35CB749C58BB777E8AB86300F044559D4A2C21E1E3F49686CB21

Function 00A4CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00A4C21E,00000000), ref: 00A4CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00A4CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00A4C21E,00000000), ref: 00A4CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00A4C21E,00000000), ref: 00A4CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00A4C21E,00000000), ref: 00A4CFF2

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 47c89afe21da876786cb10a261858764bf05c6fadaa1b9fe24833166afb3a124
Instruction ID: dffa214be59df689c482d5b85a8e8f729f2e02d8d2cec683f703ca98c4ab6972
Opcode Fuzzy Hash: 47c89afe21da876786cb10a261858764bf05c6fadaa1b9fe24833166afb3a124
Instruction Fuzzy Hash: A2318CB5601305EFDB60DFA5C884AABBBF9EB94321B10442EF50AD2141EB74AE45DB60

Function 00A31901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A31915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00A319C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00A319C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00A319DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00A319E2

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 3aca8b42f4afc7225597f8a876c0b6c08e2ddf2e702ced5db72ad1fe0d8a6b5b
Instruction ID: 448771c4a1decaaeae353d2727d6d2f3fa2ddc15efb73027045b4e7ab13271ce
Opcode Fuzzy Hash: 3aca8b42f4afc7225597f8a876c0b6c08e2ddf2e702ced5db72ad1fe0d8a6b5b
Instruction Fuzzy Hash: D031B471A00219EFCB04CFA8CD99BEE7BB5EB45325F104225F961A72D1C7B09D54DB90

Function 00A65706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A65745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00A6579D
_wcslen.LIBCMT ref: 00A657AF
_wcslen.LIBCMT ref: 00A657BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A65816

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: e7dec30b3135b1fc9e39943a04525f1015c94367060e7a36b38a84d58d23f43c
Instruction ID: ba50207a8361ad041c49d66d70f9232cc3e6bd7167dba62a8bba587d0688907c
Opcode Fuzzy Hash: e7dec30b3135b1fc9e39943a04525f1015c94367060e7a36b38a84d58d23f43c
Instruction Fuzzy Hash: CF218275D04618AADB20DFB0CC85AEE77B8FF44724F108656E929EB1C0DBB49985CF50

Function 00A50930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A50951
GetForegroundWindow.USER32 ref: 00A50968
GetDC.USER32(00000000), ref: 00A509A4
GetPixel.GDI32(00000000,?,00000003), ref: 00A509B0
ReleaseDC.USER32(00000000,00000003), ref: 00A509E8

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: ae3a96ec4064c768b5f38bebbbd80c83672a1cb8cf58d62a4cc217827260aa86
Instruction ID: f7e6cb04c50cf76a788aec5ee7f0de9dea524a5ec46531a3759b2b295ce0d187
Opcode Fuzzy Hash: ae3a96ec4064c768b5f38bebbbd80c83672a1cb8cf58d62a4cc217827260aa86
Instruction Fuzzy Hash: 7E216F39600204AFD704EFA9D985AAEBBF5FF84751F048069F85A97352CB70AC45CB50

Function 00A0CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00A0CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A0CDE9

Part of subcall function 00A03820: RtlAllocateHeap.NTDLL(00000000,?,00AA1444,?,009EFDF5,?,?,009DA976,00000010,00AA1440,009D13FC,?,009D13C6,?,009D1129), ref: 00A03852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00A0CE0F
_free.LIBCMT ref: 00A0CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A0CE31

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: ebb4a37c0d93747e105a18b7d63fdb14e6b360c8d0bc4bfc79b9191a5087d37d
Instruction ID: e168347f51ca50fad1f0919ef153a86a3917c328ae04f71f02f68084a51d4c90
Opcode Fuzzy Hash: ebb4a37c0d93747e105a18b7d63fdb14e6b360c8d0bc4bfc79b9191a5087d37d
Instruction Fuzzy Hash: 8701B1726012197FE32167F6BC8CD7B697DDAC6BB13150229FD05C7280EA608D0291B0

Function 009E9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009E9693
SelectObject.GDI32(?,00000000), ref: 009E96A2
BeginPath.GDI32(?), ref: 009E96B9
SelectObject.GDI32(?,00000000), ref: 009E96E2

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7469100ab82f2ea3ab57308d1fec4e5dec612637fe5b55dc4b0e4f3e32e8b907
Instruction ID: a58962834916ee549ff135a1290c1c1c66e5344d7b2eb2fb09520949159ba580
Opcode Fuzzy Hash: 7469100ab82f2ea3ab57308d1fec4e5dec612637fe5b55dc4b0e4f3e32e8b907
Instruction Fuzzy Hash: 44218330801346FBDB12DFA5EC187AA7BB8BB42765F100216F420961F0D3749D92CB94

Function 00A35711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00A35726
_memcmp.LIBVCRUNTIME ref: 00A35744
_memcmp.LIBVCRUNTIME ref: 00A35757
_memcmp.LIBVCRUNTIME ref: 00A3576F
_memcmp.LIBVCRUNTIME ref: 00A35787

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e681e68ea5d01b843dda3191e56571fd2edae3c5290b0b06f5292524c7c85421
Instruction ID: 7ae4a7b5e7fc5a7ae188a0298b368c68a91a13b2db66b011343652b45a1a1e34
Opcode Fuzzy Hash: e681e68ea5d01b843dda3191e56571fd2edae3c5290b0b06f5292524c7c85421
Instruction Fuzzy Hash: D3017571A45609FFD6085629ED82FBB736DAF71394F414821FE04AA641F761ED10C3E1

Function 00A02DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,009FF2DE,00A03863,00AA1444,?,009EFDF5,?,?,009DA976,00000010,00AA1440,009D13FC,?,009D13C6), ref: 00A02DFD
_free.LIBCMT ref: 00A02E32
_free.LIBCMT ref: 00A02E59
SetLastError.KERNEL32(00000000,009D1129), ref: 00A02E66
SetLastError.KERNEL32(00000000,009D1129), ref: 00A02E6F

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: f18fb58a3acb42fa1a9669567cdd380f2ab83851374b0ddf5767f901c670965c
Instruction ID: 761f3a6024ed81f922ba7751775fb3172fc2b365975eca93d135cadb3bc88053
Opcode Fuzzy Hash: f18fb58a3acb42fa1a9669567cdd380f2ab83851374b0ddf5767f901c670965c
Instruction Fuzzy Hash: 8201F93628570867C6136775BD8DF2B2E7DABD53B17350525F455932D2EF648C024320

Function 00A3000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A2FF41,80070057,?,?,?,00A3035E), ref: 00A3002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A2FF41,80070057,?,?), ref: 00A30046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A2FF41,80070057,?,?), ref: 00A30054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A2FF41,80070057,?), ref: 00A30064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A2FF41,80070057,?,?), ref: 00A30070

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b836452567621f4c4c189654adf9638b6dd173948953e14a9af449ff77caf421
Instruction ID: 9afb26e045e94014c91d30722930cba271809b5f7ffec9d2972e8e7a1afd589f
Opcode Fuzzy Hash: b836452567621f4c4c189654adf9638b6dd173948953e14a9af449ff77caf421
Instruction Fuzzy Hash: 7F018B72600218BFDB249FA8DC44FAA7ABDEB447A2F148124F945D7210E7B5DD418BA0

Function 00A3E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00A3E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00A3E9A5
Sleep.KERNEL32(00000000), ref: 00A3E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00A3E9B7
Sleep.KERNEL32 ref: 00A3E9F3

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: ecb50397ae0b9e0b5779de0ab75a23bbad606975a62d5283e81aa9a439ade7bf
Instruction ID: 4fbe35ba87ba64b0ead86bf19518d94d7fd34520ae3f9423fa486822db71b285
Opcode Fuzzy Hash: ecb50397ae0b9e0b5779de0ab75a23bbad606975a62d5283e81aa9a439ade7bf
Instruction Fuzzy Hash: C6011331C01629DBCF00EBE5DD59AEDFB78BB09712F000656E942B2281CB7096568BA2

Function 00A310F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A31114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00A30B9B,?,?,?), ref: 00A31120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A30B9B,?,?,?), ref: 00A3112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A30B9B,?,?,?), ref: 00A31136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A3114D

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 3c011d31792b7b12593de62f77c70824b921adf41ff7524d4970ba72a5109acf
Instruction ID: 6fdd09890407a8d9c6cd3286b5f1b8535f72082e5a0990b09dcd7f482be47c17
Opcode Fuzzy Hash: 3c011d31792b7b12593de62f77c70824b921adf41ff7524d4970ba72a5109acf
Instruction Fuzzy Hash: 4D011975200215BFDB128FA5DC49AAA3B7EEF8A3A4B204519FA85D7360DA71DC019A60

Function 00A30FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A30FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A30FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A30FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A30FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A31002

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c0a486f4b33f3c4c36526f62a7ba38defc9470e5be0ec18622c23090dce7882b
Instruction ID: 84b84c83796e6baba29f486f4681b6ce907bac90a09190d4a1502789eb22c153
Opcode Fuzzy Hash: c0a486f4b33f3c4c36526f62a7ba38defc9470e5be0ec18622c23090dce7882b
Instruction Fuzzy Hash: 1CF04935200311BBDB218FA59C49F667BBDEF8A762F114424FA8AD6251CAB1DC418A60

Function 00A31014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A3102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A31036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A31045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A3104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A31062

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9a0db3c8122079720217d3a3e9bcae39fce4da323b8c68a3b72b2238788da928
Instruction ID: 5a1a7d5dacfe5e3a1560773eb42716c750734227463172deec8f6e2929d2b136
Opcode Fuzzy Hash: 9a0db3c8122079720217d3a3e9bcae39fce4da323b8c68a3b72b2238788da928
Instruction Fuzzy Hash: 22F06D35200311FBDB229FE5EC59F663BBDEF8A761F510424FA85D7250CAB1D8418A60

Function 00A4030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00A4017D,?,00A432FC,?,00000001,00A12592,?), ref: 00A40324
CloseHandle.KERNEL32(?,?,?,?,00A4017D,?,00A432FC,?,00000001,00A12592,?), ref: 00A40331
CloseHandle.KERNEL32(?,?,?,?,00A4017D,?,00A432FC,?,00000001,00A12592,?), ref: 00A4033E
CloseHandle.KERNEL32(?,?,?,?,00A4017D,?,00A432FC,?,00000001,00A12592,?), ref: 00A4034B
CloseHandle.KERNEL32(?,?,?,?,00A4017D,?,00A432FC,?,00000001,00A12592,?), ref: 00A40358
CloseHandle.KERNEL32(?,?,?,?,00A4017D,?,00A432FC,?,00000001,00A12592,?), ref: 00A40365

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 45f8b5c40f7edf373bc9bfbee1540b9a50fe8e566d7942abf5da5ac972508a02
Instruction ID: 9fea43d52b859a2a842716afae50281987151d198ace0c649cead9e1f3d995c1
Opcode Fuzzy Hash: 45f8b5c40f7edf373bc9bfbee1540b9a50fe8e566d7942abf5da5ac972508a02
Instruction Fuzzy Hash: 2001A276800B159FC7309F66D890812FBF5BF903153158A3FD29656931C3B1B955DF80

Function 00A0D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A0D752

Part of subcall function 00A029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A0D7D1,00000000,00000000,00000000,00000000,?,00A0D7F8,00000000,00000007,00000000,?,00A0DBF5,00000000), ref: 00A029DE
Part of subcall function 00A029C8: GetLastError.KERNEL32(00000000,?,00A0D7D1,00000000,00000000,00000000,00000000,?,00A0D7F8,00000000,00000007,00000000,?,00A0DBF5,00000000,00000000), ref: 00A029F0

_free.LIBCMT ref: 00A0D764
_free.LIBCMT ref: 00A0D776
_free.LIBCMT ref: 00A0D788
_free.LIBCMT ref: 00A0D79A

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6a7b215578059f3db213a9776fa2085bb430c524cef2579dcb7501615b957e3a
Instruction ID: db7e2f46f559eb183f504c1b959a3d252a912c729e6389dfdc1ae3651be7618b
Opcode Fuzzy Hash: 6a7b215578059f3db213a9776fa2085bb430c524cef2579dcb7501615b957e3a
Instruction Fuzzy Hash: 7AF0FF3364471CABC621EBA8FAC5D1677DDBB847607A40806F048E7581CB20FC8187A4

Function 00A35C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00A35C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00A35C6F
MessageBeep.USER32(00000000), ref: 00A35C87
KillTimer.USER32(?,0000040A), ref: 00A35CA3
EndDialog.USER32(?,00000001), ref: 00A35CBD

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: fbacf62b55c0b61796490ccf106a79d5cdfee5dc5804275d1e550345cc6df76c
Instruction ID: 4eb00f6e5be864ed76e33146f41629e915cc261f66fa3d642526114703cc16cc
Opcode Fuzzy Hash: fbacf62b55c0b61796490ccf106a79d5cdfee5dc5804275d1e550345cc6df76c
Instruction Fuzzy Hash: E9018634900B04ABEB259B64DD4EFA677B8BB00B05F04255AF583A14E1DBF4A985CA94

Function 00A022A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A022BE

Part of subcall function 00A029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A0D7D1,00000000,00000000,00000000,00000000,?,00A0D7F8,00000000,00000007,00000000,?,00A0DBF5,00000000), ref: 00A029DE
Part of subcall function 00A029C8: GetLastError.KERNEL32(00000000,?,00A0D7D1,00000000,00000000,00000000,00000000,?,00A0D7F8,00000000,00000007,00000000,?,00A0DBF5,00000000,00000000), ref: 00A029F0

_free.LIBCMT ref: 00A022D0
_free.LIBCMT ref: 00A022E3
_free.LIBCMT ref: 00A022F4
_free.LIBCMT ref: 00A02305

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 71508f466f42ee5468de4f4667e2717dea9e7e6e8f88bf35fa28787de7cd0876
Instruction ID: f59de7d79666d417a27387d9457aa2c351299edfe78abb187d894cadbaeddc94
Opcode Fuzzy Hash: 71508f466f42ee5468de4f4667e2717dea9e7e6e8f88bf35fa28787de7cd0876
Instruction Fuzzy Hash: ACF0177491072A9FCA12EFD8BD05E8C3AA4B75A7A0B50055BF410E22F1CB304813AFE4

Function 009E95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009E95D4
StrokeAndFillPath.GDI32(?,?,00A271F7,00000000,?,?,?), ref: 009E95F0
SelectObject.GDI32(?,00000000), ref: 009E9603
DeleteObject.GDI32 ref: 009E9616
StrokePath.GDI32(?), ref: 009E9631

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: f5a5d82176a592d70236f067ec7f7bd6acba6e6f74fbc257990d861777d42e90
Instruction ID: 973f5c3fcc96f57e56dca7c7ea53fe3b509882a1cfbeaf6b867095864849122f
Opcode Fuzzy Hash: f5a5d82176a592d70236f067ec7f7bd6acba6e6f74fbc257990d861777d42e90
Instruction Fuzzy Hash: 70F0143000624AFBDB22DFAAED18B667B75BB06372F448215F8B5550F0DB748996DF20

Function 00A00F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00A010F9
__freea.LIBCMT ref: 00A01117

Part of subcall function 00A01537: _free.LIBCMT ref: 00A0154F

Strings

am/pm, xrefs: 00A0117A
a/p, xrefs: 00A011DE

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 06ea11177eef33772c62e428537fbcac5e550c6d49ac112446b628eaec848798
Instruction ID: 9bc32628473afd361f0a75411f35b540d314812b93541a64640bff7f476a89c8
Opcode Fuzzy Hash: 06ea11177eef33772c62e428537fbcac5e550c6d49ac112446b628eaec848798
Instruction Fuzzy Hash: 5FD1E27190020EDBDB689F68E895BFAB7B5FF05300F284269E9419F6D0D3759D80CB92

Function 00A57B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 009F0242: EnterCriticalSection.KERNEL32(00AA070C,00AA1884,?,?,009E198B,00AA2518,?,?,?,009D12F9,00000000), ref: 009F024D
Part of subcall function 009F0242: LeaveCriticalSection.KERNEL32(00AA070C,?,009E198B,00AA2518,?,?,?,009D12F9,00000000), ref: 009F028A

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

Part of subcall function 009F00A3: __onexit.LIBCMT ref: 009F00A9

__Init_thread_footer.LIBCMT ref: 00A57BFB

Part of subcall function 009F01F8: EnterCriticalSection.KERNEL32(00AA070C,?,?,009E8747,00AA2514), ref: 009F0202
Part of subcall function 009F01F8: LeaveCriticalSection.KERNEL32(00AA070C,?,009E8747,00AA2514), ref: 009F0235

Strings

5, xrefs: 00A57C78
Variable must be of type 'Object'., xrefs: 00A57C3A
G, xrefs: 00A57C7F

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 6ce750b5cec36b84e39103c4f038c6e2abc9c4b7e4ebb2c1736da523e410eb17
Instruction ID: c92326216881258762e99ad116eb0f67c1d999ed63c157494007931fba88a7d7
Opcode Fuzzy Hash: 6ce750b5cec36b84e39103c4f038c6e2abc9c4b7e4ebb2c1736da523e410eb17
Instruction Fuzzy Hash: 26918D75A04209AFCB04EF54E991EBDB7B1FF89301F108059FC46AB292DB71AE49CB51

Function 00A32716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A321D0,?,?,00000034,00000800,?,00000034), ref: 00A3B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00A32760

Part of subcall function 00A3B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A321FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00A3B3F8

Part of subcall function 00A3B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00A3B355
Part of subcall function 00A3B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00A32194,00000034,?,?,00001004,00000000,00000000), ref: 00A3B365
Part of subcall function 00A3B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00A32194,00000034,?,?,00001004,00000000,00000000), ref: 00A3B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A327CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A3281A

Strings

@, xrefs: 00A32832

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: cc048fbb0bf3e7888322db15656806d92bc1df31c6453d78e11b74e8b3af351d
Instruction ID: 750a6a6fa76d18ffa97b50e44e8335ae101071359610753816e1fcade40e7c47
Opcode Fuzzy Hash: cc048fbb0bf3e7888322db15656806d92bc1df31c6453d78e11b74e8b3af351d
Instruction Fuzzy Hash: 2A410976900218BFDB10DFA4CD85BEEBBB8AF09700F108099FA55B7181DB706E45DBA1

Function 00A0172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00A01769
_free.LIBCMT ref: 00A01834
_free.LIBCMT ref: 00A0183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00A01760, 00A01767, 00A01796, 00A017CE

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 4e9cb3b247f575538e6827e24655a2bd1322a345ea6e24d1125f1d77340fa9c8
Instruction ID: 6b3585b97986f9eb375e1ab0ba35dd3bdfefa5fc156be7ff44ec3f7709c15fc9
Opcode Fuzzy Hash: 4e9cb3b247f575538e6827e24655a2bd1322a345ea6e24d1125f1d77340fa9c8
Instruction Fuzzy Hash: 63318C75A0021CABDB21DFD9A885EDEBBFCEB85350F104166F80497291D7B08E45CBA0

Function 00A3C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00A3C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00A3C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00AA1990,00ED5710), ref: 00A3C395

Strings

0, xrefs: 00A3C2DF

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: df527831e04e2251de5dd8d2f175a8fd2f5cf67703a4d38523eaf45458b1854f
Instruction ID: 7e6afaf14c16dc265bfbc5169b264bf0a4896b1a7b47f4b9c092b247b8ceacf9
Opcode Fuzzy Hash: df527831e04e2251de5dd8d2f175a8fd2f5cf67703a4d38523eaf45458b1854f
Instruction Fuzzy Hash: 92419F712043019FD720DF25DC85B6AFBE4AF85320F148A1EF9A6AB2D1D770E904CB62

Function 00A64416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A6CC08,00000000,?,?,?,?), ref: 00A644AA
GetWindowLongW.USER32 ref: 00A644C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A644D7

Strings

SysTreeView32, xrefs: 00A6447C

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 852cf9d28f38f21597508121a0eedf1ff08470d6b0891b83ffab4f7fa59d5ef0
Instruction ID: ec8b96910a50e0f78ea6e1b2d039ba8384ce6d962f23e96c11d2fec770033daf
Opcode Fuzzy Hash: 852cf9d28f38f21597508121a0eedf1ff08470d6b0891b83ffab4f7fa59d5ef0
Instruction Fuzzy Hash: 04319A31210205AFDB218F78DC4ABEA7BB9EB49334F208715F976A21E0DB70AC519B50

Function 00A64537 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00A6461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A64634

Strings

V, xrefs: 00A645D7
', xrefs: 00A6458E

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '$V
API String ID: 3850602802-299079222
Opcode ID: c9a6cc997440fa78f54733112199cc7618ff7dabbd4e20694fe3075c319e843e
Instruction ID: 79e57d0cc9ff0029e0b4c876909d8edf7d20f39a79dd6f88e9ff887a35aa8ced
Opcode Fuzzy Hash: c9a6cc997440fa78f54733112199cc7618ff7dabbd4e20694fe3075c319e843e
Instruction Fuzzy Hash: 86310A74A0131AAFDF14CFA9C991BDA7BB5FF49700F14406AE905AB391E770A941CF90

Function 00A5304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00A53077,?,?), ref: 00A53378

inet_addr.WSOCK32(?), ref: 00A5307A
_wcslen.LIBCMT ref: 00A5309B
htons.WSOCK32(00000000), ref: 00A53106

Strings

255.255.255.255, xrefs: 00A53095, 00A5309A

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 82cd0cdb58e4d8e6e37b1da4252b69d3c15e402916493b4953f1c7ef23c301d6
Instruction ID: 8f2b680a9feeec74210438e176e9fc5fd06b17ff73a5fa948c8f3390202c0c35
Opcode Fuzzy Hash: 82cd0cdb58e4d8e6e37b1da4252b69d3c15e402916493b4953f1c7ef23c301d6
Instruction Fuzzy Hash: EE31B2362002059FCF20DF68C585AAA77F0FF94399F248159E9158B392D771DE49C760

Function 00A63EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A63F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A63F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A63F78

Strings

SysMonthCal32, xrefs: 00A63F0B

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: de502411ffc89a15b3431d28257061ad6f65da04f97b7320a0354d6c7d668b33
Instruction ID: d73c12620644b1a3a8ec803635f56ad8be610f97a91e44b122701e82201924d8
Opcode Fuzzy Hash: de502411ffc89a15b3431d28257061ad6f65da04f97b7320a0354d6c7d668b33
Instruction Fuzzy Hash: 4A219C33610219BFDF25DF90CC46FEA3BB9EF48724F110214FA556B1D0D6B5A9518BA0

Function 00A395AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A3961D

Strings

#requireadmin, xrefs: 00A395D9
#OnAutoItStartRegister, xrefs: 00A395F3
#notrayicon, xrefs: 00A395B7

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: d9455226a85e97ca29f401ddaa5c6eb3e7e2528313c7a5f33846e51acce8b3b2
Instruction ID: d4db7d155b20469fedbfcbb48db192240310862947fd8c14707641007db516bb
Opcode Fuzzy Hash: d9455226a85e97ca29f401ddaa5c6eb3e7e2528313c7a5f33846e51acce8b3b2
Instruction Fuzzy Hash: F1212B722456116AD331BB249C13FB7B3E8AF91310F54842AF94A97181EBD1AD85C395

Function 00A637B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A63840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A63850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A63876

Strings

Listbox, xrefs: 00A6380F

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9717c783b234e6d0b8d0b96f6f3f8197699aab182edd2989fcaf3b695fbc48b9
Instruction ID: 230694e394830cf35f7965f0ca536ee4b133e6bff45201aab694e4101e9c9967
Opcode Fuzzy Hash: 9717c783b234e6d0b8d0b96f6f3f8197699aab182edd2989fcaf3b695fbc48b9
Instruction Fuzzy Hash: D3217F72610118BBEF11DF95DC85EBB377AEF89760F108114F9549B190CAB59C5287A0

Function 00A449F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A44A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00A44A5C
SetErrorMode.KERNEL32(00000000,?,?,00A6CC08), ref: 00A44AD0

Strings

%lu, xrefs: 00A44A6F

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 9f2d45208d4ff64582e5a873558f841d1a3de03b344a0f24d2320db6bb05a12e
Instruction ID: d2087729bd29fbb1da0b79491eeb6035407c35024351e5c9e669f16ebfc861b0
Opcode Fuzzy Hash: 9f2d45208d4ff64582e5a873558f841d1a3de03b344a0f24d2320db6bb05a12e
Instruction Fuzzy Hash: 0E316175A00108AFDB10DF64C985EAA77F8EF49318F1480A5F909DB352DB71ED46CB61

Function 00A641EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A6424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A64264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A64271

Strings

msctls_trackbar32, xrefs: 00A64226

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: fa662a90e6861331a75021c12c537b65c75cc4ebc4e6450df18cd86357cccbf1
Instruction ID: 3beb4ed57571f828942cc782f0b59bc53c7897ccdb15ec18a715316621109eaa
Opcode Fuzzy Hash: fa662a90e6861331a75021c12c537b65c75cc4ebc4e6450df18cd86357cccbf1
Instruction Fuzzy Hash: FF11E331240208BEEF209F79CC46FEB3BBCEF89B64F110614FA55E2090D2B1D8519B20

Function 00A32F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009D6B57: _wcslen.LIBCMT ref: 009D6B6A

Part of subcall function 00A32DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A32DC5
Part of subcall function 00A32DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A32DD6
Part of subcall function 00A32DA7: GetCurrentThreadId.KERNEL32 ref: 00A32DDD
Part of subcall function 00A32DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00A32DE4

GetFocus.USER32 ref: 00A32F78

Part of subcall function 00A32DEE: GetParent.USER32(00000000), ref: 00A32DF9

GetClassNameW.USER32(?,?,00000100), ref: 00A32FC3
EnumChildWindows.USER32(?,00A3303B), ref: 00A32FEB

Strings

%s%d, xrefs: 00A32FFF

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 455a5e485815e8c66275ecc30e2ce9b89c588e225be88f035af57b1097610af6
Instruction ID: 8314c3cd45090d30aac711fe57bc168df27c865c2eb5a1a41a1e089a36023803
Opcode Fuzzy Hash: 455a5e485815e8c66275ecc30e2ce9b89c588e225be88f035af57b1097610af6
Instruction Fuzzy Hash: 2311D2756042056BCF05BFB0DC85FED376AAF94314F048076F9099B252DE709A058B70

Function 00A65882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00A658C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00A658EE
DrawMenuBar.USER32(?), ref: 00A658FD

Strings

0, xrefs: 00A6588F

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 13eead56d74eebbec0a210fa93725e2c269a3bff5278f9d02c157a7b7c4e93f8
Instruction ID: f9257e0ee8b133a06b71968fce010b1656bc925e184bc936fcc689f42ca42446
Opcode Fuzzy Hash: 13eead56d74eebbec0a210fa93725e2c269a3bff5278f9d02c157a7b7c4e93f8
Instruction Fuzzy Hash: DA016D32900258EFDB219F61DC44BAEBBB5FB45360F10809AE889D6151DB709A84DF31

Function 00A67803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00AA18B0,00A6A364,000000FC,?,00000000,00000000,?,?,?,00A276CF,?,?,?,?,?), ref: 00A67805
GetFocus.USER32 ref: 00A6780D

Part of subcall function 009E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009E9BB2

Part of subcall function 009E9944: GetWindowLongW.USER32(?,000000EB), ref: 009E9952

SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 00A6787A

Strings

V, xrefs: 00A67841, 00A67852

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: V
API String ID: 3601265619-4045069856
Opcode ID: 35609a5aa240644cb0eee8d0a1603706be863b92ac105cd900d43760d0510077
Instruction ID: f8876372306ce3045a7c4c02db5994d7b30fa8aab4b0a6249a9e6c49c0e4dbeb
Opcode Fuzzy Hash: 35609a5aa240644cb0eee8d0a1603706be863b92ac105cd900d43760d0510077
Instruction Fuzzy Hash: 2B018F356161109FC325DB68D858BBA33F6AF8A324F18026DE055872E1CB716C43CB50

Function 00A2D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00A2D3BF
FreeLibrary.KERNEL32 ref: 00A2D3E5

Strings

X64, xrefs: 00A2D2A8
GetSystemWow64DirectoryW, xrefs: 00A2D3B9

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: b0e91c1cc3ac3db0a04337ab37c06ae11b4f8925810d63a1634854d4db9d836e
Instruction ID: a0386c72ac57d5a32e3a6363de4def436df942a9044320dde049eacd5ba2ae56
Opcode Fuzzy Hash: b0e91c1cc3ac3db0a04337ab37c06ae11b4f8925810d63a1634854d4db9d836e
Instruction Fuzzy Hash: 40F05531902630EBDB329318AC14AF93330AF01B01B688A36E842EA107E760CC408392

Function 00A3007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c74bd87b775c16c686e181dfdb8401f719248863c0da4243a780096629e325
Instruction ID: 48e8c10f08dd4d815d2933ccc2bc59c2422c8aeed890dfc5b1ecf045c59600dd
Opcode Fuzzy Hash: b2c74bd87b775c16c686e181dfdb8401f719248863c0da4243a780096629e325
Instruction Fuzzy Hash: 65C13975A0021AAFDB14CFA8C8A8EAEB7B5FF48704F218598F505EB251D731ED41DB90

Function 00A03E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00A03F0B
__alldvrm.LIBCMT ref: 00A0410C
__alldvrm.LIBCMT ref: 00A0412E

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 3ac605ddbc8e9ef1cebeb982c229e134d9e146ab2d2436f7641f3c1f1a07b316
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: EAA148B2D0038A9FEB15CF18E8917AEBBF4FF69350F14426DE6859B2C1C2389981C750

Function 00A5342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A53459
CoUninitialize.OLE32 ref: 00A53463
VariantInit.OLEAUT32(?), ref: 00A5346E
VariantClear.OLEAUT32(?), ref: 00A5371B

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: d84ae8dd5035b84501a48d2cbf11a1a9be03b4b48747bfcce9f10c6187dceb35
Instruction ID: 59f76a4e1ea2d4e8d1ca9e12be145de200626743440899658c1b170febb6c82e
Opcode Fuzzy Hash: d84ae8dd5035b84501a48d2cbf11a1a9be03b4b48747bfcce9f10c6187dceb35
Instruction Fuzzy Hash: 4FA13B766042009FCB10DF68C585A2AB7E5FF88755F04895DFD8A9B362EB30EE05CB52

Function 00A30436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00A6FC08,?), ref: 00A305F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00A6FC08,?), ref: 00A30608
CLSIDFromProgID.OLE32(?,?,00000000,00A6CC40,000000FF,?,00000000,00000800,00000000,?,00A6FC08,?), ref: 00A3062D
_memcmp.LIBVCRUNTIME ref: 00A3064E

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: dc869cf0d6fbea9536285c943425cf8212a8bbb0c9be1c4e0a8879aa4e59aa8b
Instruction ID: abb3562c0a7d638723fbf48a6b886848e4aff450a5e7dab794f24a4330b98e95
Opcode Fuzzy Hash: dc869cf0d6fbea9536285c943425cf8212a8bbb0c9be1c4e0a8879aa4e59aa8b
Instruction Fuzzy Hash: 26810B71A00109EFCB04DF94C994EEEB7B9FF89315F208599F516AB250DB71AE06CB60

Function 00A5A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A5A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00A5A6BA

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

Process32NextW.KERNEL32(00000000,?), ref: 00A5A79C
CloseHandle.KERNEL32(00000000), ref: 00A5A7AB

Part of subcall function 009ECE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00A13303,?), ref: 009ECE8A

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 4445dbf1b73151b8fd71a28dc6def96b9e60ed86cce613d2a153117af40be59a
Instruction ID: e12547d8c432cb6fbea477a09bb21a6d1071e289cf53788b80fd20edd79ec6ec
Opcode Fuzzy Hash: 4445dbf1b73151b8fd71a28dc6def96b9e60ed86cce613d2a153117af40be59a
Instruction Fuzzy Hash: B7515D716083009FD710EF64D886A6BBBE8FFD9754F00891EF99597291EB70D904CB92

Function 00A11391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A114C0

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a7ec053bc3b4a7cd3b1b44dfcb0e498079b33520a1428efc8ba23efa829d4a88
Instruction ID: e6b222098b2569673ad6f9235cbedef1723a3a148c369b02665ada24e3a6dc9c
Opcode Fuzzy Hash: a7ec053bc3b4a7cd3b1b44dfcb0e498079b33520a1428efc8ba23efa829d4a88
Instruction Fuzzy Hash: 3C416C71A00118ABDB216FF99C457FE3AB5EF81770F144225F729D61D2E63488C15362

Function 00A51AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00A51AFD
WSAGetLastError.WSOCK32 ref: 00A51B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00A51B8A
WSAGetLastError.WSOCK32 ref: 00A51B94

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: af44ebc4450d8f74ffebd248cf38a542c00f3ee7b3d02b9c2ecf9415583e9fb5
Instruction ID: 20f6b4052eed8ef24508a32abfda883b19eb9fc9a3e70a949b683a654a4cc6f0
Opcode Fuzzy Hash: af44ebc4450d8f74ffebd248cf38a542c00f3ee7b3d02b9c2ecf9415583e9fb5
Instruction Fuzzy Hash: CE419F74640200AFE721AF24C886F3977E5AB84718F54C449F95A9F3D2E7B2DD42CB90

Function 00A0B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5260cef36a5e15e1f0288146c51e567e28ef0524810c25230c79e3467cc47937
Instruction ID: 998b5f8abe1053dac5a60ee50ead19c68668dbdb6832bd4fa0397a351e437d4d
Opcode Fuzzy Hash: 5260cef36a5e15e1f0288146c51e567e28ef0524810c25230c79e3467cc47937
Instruction Fuzzy Hash: 32412B71A10308BFD7249F78DD41BAEBBE9EF88710F10856AF151DB6C1D372AA418790

Function 00A456D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00A45783
GetLastError.KERNEL32(?,00000000), ref: 00A457A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00A457CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00A457FA

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: f98148fb15c7abb1dc00dd26b392817eb192b3b49617c20ef3bd4419f02faf62
Instruction ID: 55d7e00e3dfebcb0a0458b552dda5bb787422b75da0f22c949f2ccbbc60d637b
Opcode Fuzzy Hash: f98148fb15c7abb1dc00dd26b392817eb192b3b49617c20ef3bd4419f02faf62
Instruction Fuzzy Hash: 2B411B39600611DFCB11EF65C544A59BBE1EF89720B19C889FC4AAB362DB30FD01CB91

Function 00A0D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,009F6D71,00000000,00000000,009F82D9,?,009F82D9,?,00000001,009F6D71,8BE85006,00000001,009F82D9,009F82D9), ref: 00A0D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A0D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00A0D9AB
__freea.LIBCMT ref: 00A0D9B4

Part of subcall function 00A03820: RtlAllocateHeap.NTDLL(00000000,?,00AA1444,?,009EFDF5,?,?,009DA976,00000010,00AA1440,009D13FC,?,009D13C6,?,009D1129), ref: 00A03852

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: b8f1ee8690d22fae0b8b0b5d10ef5a4eabfacd68d837ad32857f6dbbf506ea7d
Instruction ID: 4149306fbc76450a229bc861751af6bc3a7c8bb52c4054acb72467e2ff152cad
Opcode Fuzzy Hash: b8f1ee8690d22fae0b8b0b5d10ef5a4eabfacd68d837ad32857f6dbbf506ea7d
Instruction Fuzzy Hash: 9031D072A0020AABDF24CFA4EC81EBE7BA5EB41760F054268FC04D7290EB35CD50CB90

Function 00A3AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00A3ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00A3AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00A3AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00A3ACC6

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3fdcc5b95a3af59c24054c3cb3c5d72d9c295ba6db3df6e5709a36988e349003
Instruction ID: a05e95a3f6f7b1a988d1b665a743649398c5b8a602e82c793d31df6f6a282530
Opcode Fuzzy Hash: 3fdcc5b95a3af59c24054c3cb3c5d72d9c295ba6db3df6e5709a36988e349003
Instruction Fuzzy Hash: 03311430A043286FEB25CBE5CC097FA7BB5ABA9320F08621AF4C5921D1C3758D818752

Function 00A616DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A616EB

Part of subcall function 00A33A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A33A57
Part of subcall function 00A33A3D: GetCurrentThreadId.KERNEL32 ref: 00A33A5E
Part of subcall function 00A33A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A325B3), ref: 00A33A65

GetCaretPos.USER32(?), ref: 00A616FF
ClientToScreen.USER32(00000000,?), ref: 00A6174C
GetForegroundWindow.USER32 ref: 00A61752

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 87a8c01bd0b9f9ed7e5296a898b437c2782a4b6e37b9dbc5a8720bf356c0e698
Instruction ID: 6e6fcfc1226160697d420615a30698fba710d76c3d3ae76463804aed32c61bc6
Opcode Fuzzy Hash: 87a8c01bd0b9f9ed7e5296a898b437c2782a4b6e37b9dbc5a8720bf356c0e698
Instruction Fuzzy Hash: 42314F75D00149AFCB00EFA9C881DAEBBF9EF88304B5480AAE455E7351E7319E45CFA0

Function 00A3DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 009D7620: _wcslen.LIBCMT ref: 009D7625

_wcslen.LIBCMT ref: 00A3DFCB
_wcslen.LIBCMT ref: 00A3DFE2
_wcslen.LIBCMT ref: 00A3E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00A3E018

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 928497f580188e42aef758ba739d0faf88b7b2ca13ff49f5c25dbd239d65aa5b
Instruction ID: 67db83536e7924208601ef8263b1e5489bd268a838fa982d005edd61be9bb8eb
Opcode Fuzzy Hash: 928497f580188e42aef758ba739d0faf88b7b2ca13ff49f5c25dbd239d65aa5b
Instruction Fuzzy Hash: B8218371940214EFCB11DFA8D981B7EB7F8EF85750F148065F905BB285D6709E41CBA1

Function 00A3D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00A6CB68), ref: 00A3D2FB
GetLastError.KERNEL32 ref: 00A3D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A3D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00A6CB68), ref: 00A3D376

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: e8adbd44fc555ef8a7a1ace963318617218b49b48e38125a4de012242ba50468
Instruction ID: 086a7678de4ededa2111d47e6b4c075e4ff0f33a18539e535e4a37f2e6b6b165
Opcode Fuzzy Hash: e8adbd44fc555ef8a7a1ace963318617218b49b48e38125a4de012242ba50468
Instruction Fuzzy Hash: 50219170549201DFC300EF64E8815AAB7E4EF96724F104A1EF499DB2A1E731DD4ACB93

Function 00A31571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A31014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A3102A
Part of subcall function 00A31014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A31036
Part of subcall function 00A31014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A31045
Part of subcall function 00A31014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A3104C
Part of subcall function 00A31014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A31062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00A315BE
_memcmp.LIBVCRUNTIME ref: 00A315E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A31617
HeapFree.KERNEL32(00000000), ref: 00A3161E

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 4c1caba71617d620121926865b40fc6e4d3ac3b977cc5074c7d4a0f47c5e7e7a
Instruction ID: a20ce809abea1bf9fe0cf3104836bbc8c807ee5c51782c39607c5205f09f8aae
Opcode Fuzzy Hash: 4c1caba71617d620121926865b40fc6e4d3ac3b977cc5074c7d4a0f47c5e7e7a
Instruction Fuzzy Hash: 6821AC31E00209EFDF00DFE5C945BEEB7B8EF84354F098469E441AB241E770AA05CBA0

Function 00A62782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00A6280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A62824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A62832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00A62840

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: fc298f24a92a9eea08efb0b84eecc3fdc7087773b6eeb0ea4d762570b1e5f493
Instruction ID: 5e6ffe376d3136b11937a644a96d283337bec78693ca5a1c78c94a2b764005e0
Opcode Fuzzy Hash: fc298f24a92a9eea08efb0b84eecc3fdc7087773b6eeb0ea4d762570b1e5f493
Instruction Fuzzy Hash: 5F21CF31205911AFD714DB24CC44FAA7BB5AF95324F148159F4668B6E2CBB1FC82CBD0

Function 00A378F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A38D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00A3790A,?,000000FF,?,00A38754,00000000,?,0000001C,?,?), ref: 00A38D8C
Part of subcall function 00A38D7D: lstrcpyW.KERNEL32(00000000,?,?,00A3790A,?,000000FF,?,00A38754,00000000,?,0000001C,?,?,00000000), ref: 00A38DB2
Part of subcall function 00A38D7D: lstrcmpiW.KERNEL32(00000000,?,00A3790A,?,000000FF,?,00A38754,00000000,?,0000001C,?,?), ref: 00A38DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00A38754,00000000,?,0000001C,?,?,00000000), ref: 00A37923
lstrcpyW.KERNEL32(00000000,?,?,00A38754,00000000,?,0000001C,?,?,00000000), ref: 00A37949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00A38754,00000000,?,0000001C,?,?,00000000), ref: 00A37984

Strings

cdecl, xrefs: 00A3797B

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: cd6743b1648d20c33dc351009683c69b0ec37260a20b7039e0b53ba4a36c20b3
Instruction ID: 3b8a8b5004db49981fa02318f61f0ee52a267b49674b9e31a729876b46456b96
Opcode Fuzzy Hash: cd6743b1648d20c33dc351009683c69b0ec37260a20b7039e0b53ba4a36c20b3
Instruction Fuzzy Hash: 5711D67A200341ABCB259F35D845E7A77A5FF85390F50412AF946C7264EB719811C751

Function 00A67CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00A67D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00A67D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A67D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A4B7AD,00000000), ref: 00A67D6B

Part of subcall function 009E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009E9BB2

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: b6e297519dff3787c646b633c4d89c3bc2d4594994379cd65663292de2afdd6a
Instruction ID: fb289705ebe18fc89ee625c44574d2dc2c41242d12a95bfa16b2b652ef439728
Opcode Fuzzy Hash: b6e297519dff3787c646b633c4d89c3bc2d4594994379cd65663292de2afdd6a
Instruction Fuzzy Hash: 99118C35624615AFCB119F68CC04ABA3BB5AF46374F158B24F839C72F0E7309951CB50

Function 00A65660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00A656BB
_wcslen.LIBCMT ref: 00A656CD
_wcslen.LIBCMT ref: 00A656D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A65816

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 2eab0a0734cee9c89fd6a4683ad23033f2f107fe70f85e5427d90be6b77e7e90
Instruction ID: c71925ee15c9c2f199247e907e41ae628876a5105141789a878b9f1736bc455e
Opcode Fuzzy Hash: 2eab0a0734cee9c89fd6a4683ad23033f2f107fe70f85e5427d90be6b77e7e90
Instruction Fuzzy Hash: 3C11B176E00609A6DB20DFB1CC85AFE77BCAF11764F10806AF915D6081EBB48A80CB60

Function 00A01D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f843a7166f297121f687e1a0fe476ef065dfc5b3f1e9c14819df5e225c1f874d
Instruction ID: b26f0f20ac43b080ffb6bc8ec006f7feb383ca52a008275941dd16b516d02d74
Opcode Fuzzy Hash: f843a7166f297121f687e1a0fe476ef065dfc5b3f1e9c14819df5e225c1f874d
Instruction Fuzzy Hash: 3B0181B220961E7EF62127B87CC5FB7666DEF867B8F340325F521A11D2EB608C015170

Function 00A31A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00A31A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A31A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A31A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A31A8A

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7bd944243e3a815eb5c439b6fa349a08ba08a1bde4ca542f593945f4f5e481dc
Instruction ID: c12506bcfc6dac0d3f73a28e1c62981373a6ad290dd161d9c3a046959dfd5347
Opcode Fuzzy Hash: 7bd944243e3a815eb5c439b6fa349a08ba08a1bde4ca542f593945f4f5e481dc
Instruction Fuzzy Hash: 2111093AD01219FFEB11DBA5CD85FADBB78EB08750F200091EA04B7290D6716E51DB94

Function 00A3E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A3E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00A3E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00A3E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00A3E24D

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 137a49846e2fdc9a69da150f71a548b736371267a3a362025ea8496933d580a3
Instruction ID: 86733291641c13381ba754778044c1002821fac90bfb8ac3971513500046345d
Opcode Fuzzy Hash: 137a49846e2fdc9a69da150f71a548b736371267a3a362025ea8496933d580a3
Instruction Fuzzy Hash: D1110472904259BBCB01DFE8AC09AEF7FBCAB46320F004215F924E72D0D3B1990187B0

Function 009FD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,009FCFF9,00000000,00000004,00000000), ref: 009FD218
GetLastError.KERNEL32 ref: 009FD224
__dosmaperr.LIBCMT ref: 009FD22B
ResumeThread.KERNEL32(00000000), ref: 009FD249

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 035afab76809675c1fb2075128d36415cef4cf515baeb8ead928683d483e941c
Instruction ID: eb11e9f5a7337de8a80b36d65f623ff2107f744096c27a42b3f3a17dc9a5eb69
Opcode Fuzzy Hash: 035afab76809675c1fb2075128d36415cef4cf515baeb8ead928683d483e941c
Instruction Fuzzy Hash: D001807690620CBBDB116BA5DC09BFA7A6EDF82731F204219FA35961D0DBB18901C7A0

Function 00A69EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 009E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009E9BB2

GetClientRect.USER32(?,?), ref: 00A69F31
GetCursorPos.USER32(?), ref: 00A69F3B
ScreenToClient.USER32(?,?), ref: 00A69F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00A69F7A

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 1bc2e0171b8034479a03ffcfa6b6101ba42ac4ebd3a0782af9e65466ebb0d75a
Instruction ID: db542b5aa6ff69060be63a0c53910c04ea4a40dbabaf3ceb8501c72a76b48512
Opcode Fuzzy Hash: 1bc2e0171b8034479a03ffcfa6b6101ba42ac4ebd3a0782af9e65466ebb0d75a
Instruction Fuzzy Hash: BD11453690011AABDB00DFA8C9899FF77BCFB45321F014455F912E3140D770BA82CBA1

Function 009D600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009D604C
GetStockObject.GDI32(00000011), ref: 009D6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 009D606A

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 63e480c1cbe82bf163747f205680c34e107f3cdeb0c4d7b165f3cfe32c6b08ca
Instruction ID: a6b867e7b8a1043960ca5d53db551db8452b1a87c2366ac39728654bb755a2bb
Opcode Fuzzy Hash: 63e480c1cbe82bf163747f205680c34e107f3cdeb0c4d7b165f3cfe32c6b08ca
Instruction Fuzzy Hash: 9011AD72101509BFEF129FA5CC44EEABB7DEF093A4F004202FA1452210D776DC60DBA0

Function 009F3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 009F3B56

Part of subcall function 009F3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 009F3AD2
Part of subcall function 009F3AA3: ___AdjustPointer.LIBCMT ref: 009F3AED

_UnwindNestedFrames.LIBCMT ref: 009F3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 009F3B7C
CallCatchBlock.LIBVCRUNTIME ref: 009F3BA4

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: a2b2e03f685ca497a8dafdf34a58cd3ded066ecdea28631886ca59a948d91095
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: BD01D73210014DBBDF125E95CC46EFB7B6DEF98754F048015FE5866121C636E9619BA0

Function 00A03073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,009D13C6,00000000,00000000,?,00A0301A,009D13C6,00000000,00000000,00000000,?,00A0328B,00000006,FlsSetValue), ref: 00A030A5
GetLastError.KERNEL32(?,00A0301A,009D13C6,00000000,00000000,00000000,?,00A0328B,00000006,FlsSetValue,00A72290,FlsSetValue,00000000,00000364,?,00A02E46), ref: 00A030B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A0301A,009D13C6,00000000,00000000,00000000,?,00A0328B,00000006,FlsSetValue,00A72290,FlsSetValue,00000000), ref: 00A030BF

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 9fb0def5753d044684b173dfbc220d149790ffcb988fa2e1ad6fb5fc1a9621d4
Instruction ID: 4a17a0fd395e22688519b55dc445ac872dcfeeabea69530f4d3174c09946f2da
Opcode Fuzzy Hash: 9fb0def5753d044684b173dfbc220d149790ffcb988fa2e1ad6fb5fc1a9621d4
Instruction Fuzzy Hash: FB01843371222AABCF218FB9BC549677BACAF45B71B114621F946E71C0D721D902C6E0

Function 00A37464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00A3747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00A37497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00A374AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00A374CA

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 34cd750b2c1b3e8b658bfebf8cdd50c2d009159931f366f61000d0e5cfa417c3
Instruction ID: a38f8a6bf61bf3acfa3d979f73626593478ebd28afba1d5d57b5e9e4b80d7892
Opcode Fuzzy Hash: 34cd750b2c1b3e8b658bfebf8cdd50c2d009159931f366f61000d0e5cfa417c3
Instruction Fuzzy Hash: 39113CB52053159BE730CF54EC09BA67BF8EB00B14F10856AB656D6551D7B0F904DB50

Function 00A3B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00A3ACD3,?,00008000), ref: 00A3B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A3ACD3,?,00008000), ref: 00A3B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00A3ACD3,?,00008000), ref: 00A3B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A3ACD3,?,00008000), ref: 00A3B126

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 139e591431c21bb67de5aeaea938706fd3747bd1e2bddb3e18dd6ec6e17735eb
Instruction ID: c03d74216cb271abe253a71008f602c89084622db72d9636d767a099fb6127df
Opcode Fuzzy Hash: 139e591431c21bb67de5aeaea938706fd3747bd1e2bddb3e18dd6ec6e17735eb
Instruction Fuzzy Hash: FA11AD30C1062CE7CF04EFE4E9586FEBB78FF0A320F104286EA81B6185CB7086518B61

Function 00A67E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A67E33
ScreenToClient.USER32(?,?), ref: 00A67E4B
ScreenToClient.USER32(?,?), ref: 00A67E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A67E8A

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 112114044498d560fbdeb7bce57b0722a65d011cbbfab514e7f3cb97a0a08530
Instruction ID: 7b1efcf77c42d618771cf24cdb807bf01da4108927ca37551745942bcf112ba7
Opcode Fuzzy Hash: 112114044498d560fbdeb7bce57b0722a65d011cbbfab514e7f3cb97a0a08530
Instruction Fuzzy Hash: A81153B9D0024AAFDB41CF98C884AEEBBF9FF08310F509066E955E3210D775AA55CF90

Function 00A32DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A32DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A32DD6
GetCurrentThreadId.KERNEL32 ref: 00A32DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00A32DE4

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: d788d738c27019db6276807e7625f6614360103cf04851593b5ac28d1b3ca422
Instruction ID: 0559fc94082277a2c8550b8715e60d35208c5880a535c3c41adcfe68a786809c
Opcode Fuzzy Hash: d788d738c27019db6276807e7625f6614360103cf04851593b5ac28d1b3ca422
Instruction Fuzzy Hash: 0EE0ED755012247ADB206BA2DC0DFFB7E7DEF56BB1F401115F506D10909AE58942C6B1

Function 00A68863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 009E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009E9693
Part of subcall function 009E9639: SelectObject.GDI32(?,00000000), ref: 009E96A2
Part of subcall function 009E9639: BeginPath.GDI32(?), ref: 009E96B9
Part of subcall function 009E9639: SelectObject.GDI32(?,00000000), ref: 009E96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00A68887
LineTo.GDI32(?,?,?), ref: 00A68894
EndPath.GDI32(?), ref: 00A688A4
StrokePath.GDI32(?), ref: 00A688B2

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: ff3156d397d52ba028d02a17f23d22e6f539603d77dfd4adedbc827e903b5ad2
Instruction ID: 9019737479aea4726edd8a8f3d0357aa2c0590c9127dea13c0ff6959b61854cb
Opcode Fuzzy Hash: ff3156d397d52ba028d02a17f23d22e6f539603d77dfd4adedbc827e903b5ad2
Instruction Fuzzy Hash: 7AF05E36041259FADB12AFD4AC09FDE3F69AF0A360F448100FA61650E2C7B95512CFE5

Function 009E98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009E98CC
SetTextColor.GDI32(?,?), ref: 009E98D6
SetBkMode.GDI32(?,00000001), ref: 009E98E9
GetStockObject.GDI32(00000005), ref: 009E98F1

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: d6c2bc03668eabe98f4b75b4f48ddc44e4886559cffaf7441b6b25618585860e
Instruction ID: f298daf711e6f86ca52a8ce81d3d0536745254424416d4940e5ebdc3e0dae734
Opcode Fuzzy Hash: d6c2bc03668eabe98f4b75b4f48ddc44e4886559cffaf7441b6b25618585860e
Instruction Fuzzy Hash: 24E06531244280AADB219BB8BC09BED3F21AB12335F048329F6FA540E1C3B146519B11

Function 00A3162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00A31634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00A311D9), ref: 00A3163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00A311D9), ref: 00A31648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00A311D9), ref: 00A3164F

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 40e6bfc75fa1b88998a11f533698d46c27fd16cb5d915da82174e7507159bfbe
Instruction ID: 871e434c7c952b6fe5c906c27333acee20f7dd9e9db7bb520125a5674d9a356f
Opcode Fuzzy Hash: 40e6bfc75fa1b88998a11f533698d46c27fd16cb5d915da82174e7507159bfbe
Instruction Fuzzy Hash: 38E08631601211EBD7206FF19D0DBA63B7CAF447A5F154808F685C9080D7B44542C750

Function 00A2D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A2D858
GetDC.USER32(00000000), ref: 00A2D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A2D882
ReleaseDC.USER32(?), ref: 00A2D8A3

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 02c278a0818b1de75d2e6eb10f236c2810aa57a1b5e3fb1ded88082c6ba41e2f
Instruction ID: dea3778b49779028b767ea5de8c3955c0d63ff36f80e8ceaff6bf9b4048607e3
Opcode Fuzzy Hash: 02c278a0818b1de75d2e6eb10f236c2810aa57a1b5e3fb1ded88082c6ba41e2f
Instruction Fuzzy Hash: D2E01AB9800245DFCB41DFE4D80867DBBB1FB08321F14A419E88AE7250C7B85902AF44

Function 00A2D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A2D86C
GetDC.USER32(00000000), ref: 00A2D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A2D882
ReleaseDC.USER32(?), ref: 00A2D8A3

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: af5e0dc5aaab9e4e19bdf87f47336924775ee502322ee7d2df723182f9dbacbd
Instruction ID: a052c6f3512ae1e5140a606745be6f4011502c69d6a5f4a5ab09236c95b3a48e
Opcode Fuzzy Hash: af5e0dc5aaab9e4e19bdf87f47336924775ee502322ee7d2df723182f9dbacbd
Instruction Fuzzy Hash: 17E012B8800240EFCB41EFE0D80866DBBB1FB08321B14A409E98AE7250CBB85902AF44

Function 00A44D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 009D7620: _wcslen.LIBCMT ref: 009D7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00A44ED4

Strings

*, xrefs: 00A44E10
LPT, xrefs: 00A44DFB

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: f0723b5f7fd1de0f8a62de29cbc02fffb0370017e78113908eb8d3f4bac9e184
Instruction ID: cd698dfb285d0b84575660ea7a53f89efffe168696b1cd0c80a3850528e6bf29
Opcode Fuzzy Hash: f0723b5f7fd1de0f8a62de29cbc02fffb0370017e78113908eb8d3f4bac9e184
Instruction Fuzzy Hash: 37916079A002049FDB14DF58C485FAABBF1BF88704F198099E80A9F362D771ED85CB91

Function 009FE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 009FE30D

Strings

pow, xrefs: 009FE2E5, 009FE302

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 4f3205065c7c555d96837ef2fe6f387aa032d1c97043aaea1abbff4a0940b6a6
Instruction ID: 26f0d456032491e3bfe42d39eba8c45e5790fae8b489e302ee97774222a2052c
Opcode Fuzzy Hash: 4f3205065c7c555d96837ef2fe6f387aa032d1c97043aaea1abbff4a0940b6a6
Instruction Fuzzy Hash: 37517D71E0D20E96CB15BB14ED453BD3BA8EB40740F308DA8E1D5822F9EB349CD29B46

Function 009EE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 009EE1B1

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 9aae62413e0e90db5d081636eb8b323392981648936d2c313b49b2c4bf669ba2
Instruction ID: b93825f2f733911597a367495a0f6dd5b77f42cc587cc0f0ae85868780c94143
Opcode Fuzzy Hash: 9aae62413e0e90db5d081636eb8b323392981648936d2c313b49b2c4bf669ba2
Instruction Fuzzy Hash: 5B514535600296DFDF16DF68D0816FA7BA8EF55310F248069EDA19B3C0D7349D82CBA0

Function 009EF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 009EF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 009EF2BB

Strings

@, xrefs: 009EF2AF

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 7d4bba96a19dbc8e706bc75084cb0a6ddf8ca952af277435c5dea5a567b841f7
Instruction ID: afe3e17b399ee72356278b4c25dbb5214741f3df90aee920c51f242fae98e609
Opcode Fuzzy Hash: 7d4bba96a19dbc8e706bc75084cb0a6ddf8ca952af277435c5dea5a567b841f7
Instruction Fuzzy Hash: 1A5138714087459BD320EF54DC86BABBBF8FBC4300F81885EF1D991295EB708529CB66

Function 00A55745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00A557E0
_wcslen.LIBCMT ref: 00A557EC

Strings

CALLARGARRAY, xrefs: 00A557E6, 00A557EB

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: ea43ee59f0079925925a557eb9223d871303373ae57035b9ec596acd2058ca2a
Instruction ID: 760f6769cb3c5989ccac0247ef85dfd7f02d1d4c243ce9840cac43688cd6cd8f
Opcode Fuzzy Hash: ea43ee59f0079925925a557eb9223d871303373ae57035b9ec596acd2058ca2a
Instruction Fuzzy Hash: 4241B031E002099FCB04DFB9C8919BEBBB5FF99321F10802AF805A7251E7719D85DBA0

Function 00A4D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A4D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00A4D13A

Strings

|, xrefs: 00A4D10B

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: c0072d59fc88e555842e1bd08651e44a66a3e0f50535a908a840c5367445d83a
Instruction ID: 90fef041bb290195c17b03d923e4fd676e6bdeafa50f62654649712efe3d44f9
Opcode Fuzzy Hash: c0072d59fc88e555842e1bd08651e44a66a3e0f50535a908a840c5367445d83a
Instruction Fuzzy Hash: 05313B75D00209ABCF15EFA4CC85AEEBFB9FF45300F10411AF915A6262E731AA56DB60

Function 00A6356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00A63621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A6365C

Strings

static, xrefs: 00A635BC

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ee20e5477be08a31e30a8eafd6343309af460313927625c271efebf016d31960
Instruction ID: 894ea225420530ebe772d4aa59d1df3df5a11734a855c873f589b750f5b11cd4
Opcode Fuzzy Hash: ee20e5477be08a31e30a8eafd6343309af460313927625c271efebf016d31960
Instruction Fuzzy Hash: AC318B72100204AEDB10DF68DC80FFB73B9FF88724F00961AF9A597290DA74AD82C760

Function 009E97C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 009E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009E9BB2

Part of subcall function 009E9944: GetWindowLongW.USER32(?,000000EB), ref: 009E9952

GetParent.USER32(?), ref: 00A273A3
DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 00A2742D

Strings

V, xrefs: 009E980F, 00A273D2, 00A273F9

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: LongWindow$ParentProc
String ID: V
API String ID: 2181805148-4045069856
Opcode ID: 5f6cb64855d5a9c30ebd5769cd3ec9251cf38c70f4532e8b799d4bfb64e3c09e
Instruction ID: e4c6f7edf43ccd880d6f24bf94d91cd002391e7e7e89c22e59af40e246cd6928
Opcode Fuzzy Hash: 5f6cb64855d5a9c30ebd5769cd3ec9251cf38c70f4532e8b799d4bfb64e3c09e
Instruction Fuzzy Hash: 2121BF34600154AFCB26DF6EDC49EB93BA6EF4A370F144265F9254B2F2C3319E11EA50

Function 00A631EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A6327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A63287

Strings

Combobox, xrefs: 00A63249

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 8bdf0c2db14f2f3b45270060c84ea40c356bf7e390a9aa0642b290cf27aa5fe9
Instruction ID: 2265c70cbf5f9d472f6fee68ef8ecdccb15407713013dc7ae9cb82bbead6126e
Opcode Fuzzy Hash: 8bdf0c2db14f2f3b45270060c84ea40c356bf7e390a9aa0642b290cf27aa5fe9
Instruction Fuzzy Hash: B71193723001097FEF119FA4DC90EFB37BAEBA5364F104125F51497290D6759D528760

Function 00A632A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 00A632C7
CreatePopupMenu.USER32 ref: 00A63339

Strings

V, xrefs: 00A63313, 00A6334B

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CreateMenuPopup
String ID: V
API String ID: 3826294624-4045069856
Opcode ID: f59e19840fc313b7cd806b751d914db53622b480b49c7bfa3b451b680ab3dcf2
Instruction ID: 96f8574205f7166ed158c6166d0563b02349b8dc61c8b4c5b1fa634057e181c2
Opcode Fuzzy Hash: f59e19840fc313b7cd806b751d914db53622b480b49c7bfa3b451b680ab3dcf2
Instruction Fuzzy Hash: F8213B35604204AFCB10CF69C495AD677F9FF1A364F08806AE9998B351D331A903CF51

Function 00A63710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 009D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009D604C
Part of subcall function 009D600E: GetStockObject.GDI32(00000011), ref: 009D6060
Part of subcall function 009D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 009D606A

GetWindowRect.USER32(00000000,?), ref: 00A6377A
GetSysColor.USER32(00000012), ref: 00A63794

Strings

static, xrefs: 00A63757

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: f0e13ee58f2a957a911750c284dd38c43e21c158528fcda0ff69d0e36bb8946d
Instruction ID: db9ffebd298eb9a5521a4e54d4013df99aca2c49bd7cfa2b8b1ba5e6fc52d1b9
Opcode Fuzzy Hash: f0e13ee58f2a957a911750c284dd38c43e21c158528fcda0ff69d0e36bb8946d
Instruction Fuzzy Hash: 39113AB2610209AFDF01DFA8CD45EFA7BB8FB09354F004915F956E3250D775E8519B50

Function 00A66181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00A661FC
SendMessageW.USER32(?,00000194,00000000,00000000), ref: 00A66225

Strings

V, xrefs: 00A661A2

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend
String ID: V
API String ID: 3850602802-4045069856
Opcode ID: c6b333edb08cd16088c3a0634776e91d419d09894ead5e1351783cc539c8b6e9
Instruction ID: 7d6c30dd3cdd6912d9d04f7d2677a14ffb89e111cf4846121ab1cb01f164da0c
Opcode Fuzzy Hash: c6b333edb08cd16088c3a0634776e91d419d09894ead5e1351783cc539c8b6e9
Instruction Fuzzy Hash: E311C171940214BEEF108FB8CC29FFA3BB8EB0A714F004115FA16AA1E1D3B4DA10DB50

Function 00A4CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A4CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00A4CDA6

Strings

<local>, xrefs: 00A4CD66

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d4c40c869d5463075ed7d3cd5c821d94bad86395ae5865e9b875bf350b331686
Instruction ID: 953e5249aa0c7f9df78d0b50bbfe9c2a04fa3e06c63b0cbbc80c83f8b1c9b8f8
Opcode Fuzzy Hash: d4c40c869d5463075ed7d3cd5c821d94bad86395ae5865e9b875bf350b331686
Instruction Fuzzy Hash: D1110679A026317AD7784B668C44EF3BEACEF927B4F004226B10D83080D3749841D6F0

Function 00A63429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00A634AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A634BA

Strings

edit, xrefs: 00A6348F

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: f20c013490525c078fe994a8c33d500812b9b08f90a90c923f204f1246840723
Instruction ID: 63d75fe100164bda6b41ef29659841917c80584ef1593fce6cc538c761bff5e0
Opcode Fuzzy Hash: f20c013490525c078fe994a8c33d500812b9b08f90a90c923f204f1246840723
Instruction Fuzzy Hash: 71118C72100208ABEF128FA5DC88ABB777AEF05775F504724FA61931E0CB75DC929B60

Function 00A64F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00A64FCC

Strings

V, xrefs: 00A64FA1

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: MessageSend
String ID: V
API String ID: 3850602802-4045069856
Opcode ID: fc3c8dfe68560233b7589fcb35f682eefa167a8acc59ceedcfa15c60ad1dc510
Instruction ID: bcac1b2ba512f3dbfad58e6921b44c0430d645b2aabb89e9207bf576b23dd763
Opcode Fuzzy Hash: fc3c8dfe68560233b7589fcb35f682eefa167a8acc59ceedcfa15c60ad1dc510
Instruction Fuzzy Hash: D121E27AA0011AEFCB15CFA8C9408EA7BB9FB4D350B014154FE06A7320D735ED21EBA0

Function 00A36C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00A36CB6
_wcslen.LIBCMT ref: 00A36CC2

Strings

STOP, xrefs: 00A36CBC, 00A36CC1

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 84a9eed8bbeb29593f8e5a34aa9e908ef5947bd92c2ca6cd56fe66cafcc91753
Instruction ID: 675f90ab269a3aba531855c184663695bd19f3aa46173e90925deb922060f342
Opcode Fuzzy Hash: 84a9eed8bbeb29593f8e5a34aa9e908ef5947bd92c2ca6cd56fe66cafcc91753
Instruction Fuzzy Hash: 87012632A00926ABCB20AFFDDC809BF73B4FBA0754F008529F85297291EB31D900C750

Function 009E90DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

V, xrefs: 00A27077, 00A2709D

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-4045069856
Opcode ID: c2227d08ce20d3fb1e81819a389ee2a6f75a1b2b628d175dfb99ce31ae9247de
Instruction ID: b12ffbd9b19fdb162a53c84b5c7fcdc842ef1d24f1642fa61394b7ac7c360b8a
Opcode Fuzzy Hash: c2227d08ce20d3fb1e81819a389ee2a6f75a1b2b628d175dfb99ce31ae9247de
Instruction Fuzzy Hash: 7F115E34604605AFCB21DF6DD840EA977A6FB4A320F148229F9258B2E0C771EE45CF80

Function 00A31CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

Part of subcall function 00A33CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A33CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00A31D4C

Strings

ListBox, xrefs: 00A31D16
ComboBox, xrefs: 00A31CEB

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6cd5ad6c97d16f2d4b6adfa4241bf47b1854cc4df58bc2f37e4d467f8a406e6b
Instruction ID: aed319f125d9c18f43a1e59b71afb1c9b5517bf4bb46681264f4e57f490f4a73
Opcode Fuzzy Hash: 6cd5ad6c97d16f2d4b6adfa4241bf47b1854cc4df58bc2f37e4d467f8a406e6b
Instruction Fuzzy Hash: 3301B175B41218AB8F08FBB4DD529FE73A8FB57390F444A1AF862673C1EA3459088760

Function 00A31BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

Part of subcall function 00A33CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A33CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00A31C46

Strings

ListBox, xrefs: 00A31C10
ComboBox, xrefs: 00A31BE5

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ca94a855d9ebb61345561cbe3ae9e3c1b3cfd056fb494f623d5a1a3271eb0b52
Instruction ID: 9f65c5b51dccb1e3e0cb60d9689e2af61ac1fbfb9b2618c654d45a058ad839de
Opcode Fuzzy Hash: ca94a855d9ebb61345561cbe3ae9e3c1b3cfd056fb494f623d5a1a3271eb0b52
Instruction Fuzzy Hash: FB01A275B811086ACF04FBA1CA52AFF77E89B51340F14541AF85667281EA649E0C97B1

Function 00A31C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

Part of subcall function 00A33CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A33CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00A31CC8

Strings

ListBox, xrefs: 00A31C94
ComboBox, xrefs: 00A31C69

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 66f35f08fd27b52b51fe3fb1a4dd48cee71a5659a0878dfe2743c6bb97a819a7
Instruction ID: b442ec5f9d5d7fe6dd8c28a7cb3eb194565dd703b373dd1cc88a13ddd12745ff
Opcode Fuzzy Hash: 66f35f08fd27b52b51fe3fb1a4dd48cee71a5659a0878dfe2743c6bb97a819a7
Instruction Fuzzy Hash: CA01D1B6B8021867CF04FBA0CB02AFE73E8AB11340F145416B84673281EA609F19D671

Function 00A31D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009D9CB3: _wcslen.LIBCMT ref: 009D9CBD

Part of subcall function 00A33CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A33CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00A31DD3

Strings

ListBox, xrefs: 00A31DA0
ComboBox, xrefs: 00A31D75

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f951b2c6b208f5d2d2510492fa564bbabbcedbbb42bcdbcbd72268b961d98b3e
Instruction ID: 7fa2a43cb09275b1490aa6f7e2c3257223d9e88e8a343c04ecae2d8d2791e474
Opcode Fuzzy Hash: f951b2c6b208f5d2d2510492fa564bbabbcedbbb42bcdbcbd72268b961d98b3e
Instruction Fuzzy Hash: 44F0C271B9121866DB04F7B4DD52FFF77B8AF42790F040D1AF862633C1EA605A0C8260

Function 00A690A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009E9BB2

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,00A2769C,?,?,?), ref: 00A69111

Part of subcall function 009E9944: GetWindowLongW.USER32(?,000000EB), ref: 009E9952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00A690F7

Strings

V, xrefs: 00A690D6

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: V
API String ID: 982171247-4045069856
Opcode ID: 8304decf8541ad8ed065935ef01203ebcc902a4d5a594c90aacfc4770bee642a
Instruction ID: 16b9a86e8d147b9407be91ba21748c80a3358016baf9f153620755fccc81016e
Opcode Fuzzy Hash: 8304decf8541ad8ed065935ef01203ebcc902a4d5a594c90aacfc4770bee642a
Instruction Fuzzy Hash: 1101BC34100215BBDB21DF54DC89FA73BBAEB86365F200129F9510B2E1CB726C42DB60

Function 00A5747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A57493
_wcslen.LIBCMT ref: 00A574B9

Strings

3, 3, 16, 1, xrefs: 00A57483

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 694164169722d7793c9d8a560b83e236dedc24035ca94ed6497195fb9b87eac3
Instruction ID: 5ab9503c7e75bf8ca9e7fa7e396456af9e77781ea18814bf8490bf396573a58b
Opcode Fuzzy Hash: 694164169722d7793c9d8a560b83e236dedc24035ca94ed6497195fb9b87eac3
Instruction Fuzzy Hash: 3CE02B423142202092311379BCC1A7F5699EFC5B91714182FFE85D6266EAE48DD193A1

Function 00A30B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00A30B23

Strings

Error allocating memory., xrefs: 00A30B1C
AutoIt, xrefs: 00A30B17

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 02b7e6c311e5d656d60c235c583b527390668759d1e30e834a3cf1218082ed93
Instruction ID: 6ce7a2ac72894dbfd4f18ff891f99c03cda77eabce33bdf08183ad817985da9b
Opcode Fuzzy Hash: 02b7e6c311e5d656d60c235c583b527390668759d1e30e834a3cf1218082ed93
Instruction Fuzzy Hash: 8AE0DF323843483AD3113B957C03F9A7AD49F05B20F10482BFBD8A55C38AE2289007A9

Function 009F0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 009EF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,009F0D71,?,?,?,009D100A), ref: 009EF7CE

IsDebuggerPresent.KERNEL32(?,?,?,009D100A), ref: 009F0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,009D100A), ref: 009F0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 009F0D7F

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 13173e069c03ee28ab391bf8484696f493c350e3f27c91afaafc46d7862a659b
Instruction ID: 0fc8292abaa7238e362bc357f3730c7afa9af09a25f18e2bca2ae4640c9355f0
Opcode Fuzzy Hash: 13173e069c03ee28ab391bf8484696f493c350e3f27c91afaafc46d7862a659b
Instruction Fuzzy Hash: F9E06D742003518FD770EFB8E4043667BF8AB44744F00892EE982C6692DBB2E4458BA1

Function 00A43017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00A4302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00A43044

Strings

aut, xrefs: 00A43038

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: ca307f06b722ef9c04b2b98aef6686c5801c0f948ec100722c2fcd86c5fc2ae6
Instruction ID: 94e1ccb860e37ade3439b017e450de1028661d140fd4575a8fa800d288951caa
Opcode Fuzzy Hash: ca307f06b722ef9c04b2b98aef6686c5801c0f948ec100722c2fcd86c5fc2ae6
Instruction Fuzzy Hash: 05D05E7250032877DA20E7E4EC0EFDB3A7CDB04760F0006A2BA95E60D1DAF49985CAD0

Function 00A2D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A2D220

Strings

%.3d, xrefs: 00A2D22B
X64, xrefs: 00A2D2A8

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 54fc40396eb37a0fb0161cc248b906f66b11c28bc3c26c5cbd532b7f81634602
Instruction ID: 4106a6c9f8ca889dcde1cab68173f503eaab17caa9c4d0444ae1d2473c20e72a
Opcode Fuzzy Hash: 54fc40396eb37a0fb0161cc248b906f66b11c28bc3c26c5cbd532b7f81634602
Instruction Fuzzy Hash: 9BD012B1809128E9CF5097E4EC459FAB3BCBB08301F648472FD06A1042D624C908A761

Function 00A62322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A6232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00A6233F

Part of subcall function 00A3E97B: Sleep.KERNEL32 ref: 00A3E9F3

Strings

Shell_TrayWnd, xrefs: 00A62325

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d82f97bc55ef9bf692ce242442572f85140b11e7594373943ada860a0414c41c
Instruction ID: bf9ed561b8fb864f0b878bfbdaa5a4c9ed23c62cd5b5ba83baa05ed48d40b0cc
Opcode Fuzzy Hash: d82f97bc55ef9bf692ce242442572f85140b11e7594373943ada860a0414c41c
Instruction Fuzzy Hash: 4FD012363D4310B7EA64F7B0EC0FFD6BA64AF04B20F004916B786AA1D0C9F4A802CB54

Function 00A62356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A6236C
PostMessageW.USER32(00000000), ref: 00A62373

Part of subcall function 00A3E97B: Sleep.KERNEL32 ref: 00A3E9F3

Strings

Shell_TrayWnd, xrefs: 00A62365

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ecfc228618b512633dcd8a44c84edac31f78a5df0773a8f5b175610179bbc1fc
Instruction ID: d750a6b087d7edcce7f7913703f3b98e40e7db967b65b6637052ca29a6ff35a9
Opcode Fuzzy Hash: ecfc228618b512633dcd8a44c84edac31f78a5df0773a8f5b175610179bbc1fc
Instruction Fuzzy Hash: 1BD0C7353C131076E564F7B0DC0FFD665545B04710F004915B646A51D0C9E464018654

Function 00A0BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00A0BE93
GetLastError.KERNEL32 ref: 00A0BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A0BEFC

Memory Dump Source

Source File: 00000000.00000002.2087935413.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.2087876437.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A6C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088050928.0000000000A92000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088225486.0000000000A9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088280808.0000000000AA4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: d98643705036ed6910f5bceb8b49b64d7750b22cbf1b9681492cca24912c9b66
Instruction ID: e2dd0f448ccacc78048b99dbb202c8db4e80d186aeb695a7018461aee761d20e
Opcode Fuzzy Hash: d98643705036ed6910f5bceb8b49b64d7750b22cbf1b9681492cca24912c9b66
Instruction Fuzzy Hash: 9041C63461020AAFCF21CFA4EE54ABABBB5AF41720F144169FA59971E1DB30CD01CB70

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2272953581.000025D392D03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2276388721.000001FADF642000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264864425.000001FADF642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2252559940.000001FADFF53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2270851699.000001FAD86A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2279337949.000001FAD86A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2270851699.000001FAD86A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2279337949.000001FAD86A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2247121243.000001FAD84B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2276388721.000001FADF642000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264864425.000001FADF642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2293042688.000001FADDE3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2293042688.000001FADDE3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2252559940.000001FADFF53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2270851699.000001FAD86A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2279337949.000001FAD86A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2270851699.000001FAD86A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2279337949.000001FAD86A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2247121243.000001FAD84B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000002.3283675207.000001E980503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000002.3283675207.000001E980503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000012.00000002.3283675207.000001E980503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000011.00000002.3284458947.0000027A1FD0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3283675207.000001E980503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.3284458947.0000027A1FD0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3283675207.000001E980503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000011.00000002.3284458947.0000027A1FD0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3283675207.000001E980503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2228857863.000001FAE0FCE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2252290515.000001FAE0FCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2284679034.000001FAD7BA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2276388721.000001FADF642000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264864425.000001FADF642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2284679034.000001FAD7BA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2295559091.000001FAD7BA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2249045365.000001FAD7BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.5:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49848 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49853 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:56277 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:56278 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56278 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56277 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56228
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56305
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56305 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56277
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56278
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ec1ca031-ec86-4970-a4ac-40b9ed9a89e3.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ec1ca031-ec86-4970-a4ac-40b9ed9a89e3.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre